Overview

overview

7

Static

static

3

8cb76ce336...18.exe

windows7-x64

7

8cb76ce336...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cb76ce336cd55da833ed2add8fc2caa_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    8cb76ce336cd55da833ed2add8fc2caa

  • SHA1

    26d2906e8ae0837782d94a5ea2b289db716ede01

  • SHA256

    f3f111ab3859aff427f00d20a55c79660b1f5926cb350af70347d75d1d9bcec2

  • SHA512

    fa68647ff85e50857d284933dfa8f94467a085ce8eacbeef82822e91c86fad28f3b72f4165571588035123aa8bc1c3d9ba733ec6eea8bcdf34e8ea954413ce7d

  • SSDEEP

    3072:BJeJucxwPZoq/vd7AmQ27XBDlgCkkg+RTZeXi2WW+MN+0dPfZ:BJeJuewf97L7RDbkkg+RgzcMNnPB

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cb76ce336cd55da833ed2add8fc2caa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8cb76ce336cd55da833ed2add8fc2caa_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uhugegx.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Users\Admin\AppData\Local\Temp\twcxyj.exe
        "C:\Users\Admin\AppData\Local\Temp\twcxyj.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\twcxyj.exe
    Filesize

    180KB

    MD5

    2092b6d438111de2499b7547fce03fb5

    SHA1

    91b12e30bd260ad319149819ae1ad22efa7b9bf2

    SHA256

    4f16de920c6ff947fbab089bc12b58b32ebb5e8c9be18a099fa10bd3dcdd2291

    SHA512

    a45b283608a28b364128bbb40625fce4ffec8561f51834daff4afef254ce8017547a9a41dc26d21ac641b57b76572da306027ad6d5d8bd352afeb03ad03a347d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uhugegx.bat
    Filesize

    124B

    MD5

    f8998ff64cb0e5b90d98f256e2b6783e

    SHA1

    975983f49cf098e5fbcfd98ef06da19592a2c3ff

    SHA256

    f69a696d3ecd76cda9ac82fff4dfddf94c5a44c8c63de97f994feba8f8c829e1

    SHA512

    626caa093eb27334109bb21951cd2ac06e489bbb4d6c852e9c3190500df3fc5addb7252dedf2eca3a5df40dee274d8ca897a5d608a6fc46005af54dd32b34c2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vahlyp.bat
    Filesize

    170B

    MD5

    da8a3b8ec40bcfb225a10ab2aa144c49

    SHA1

    4b90672147ea2550dc80d51582cc961d65436ae8

    SHA256

    9c4d0cc58c492937c7e2beb8f7c24070454030aab4e1e52dc03125cdd227aa9b

    SHA512

    f62b09f1b6bdcf27ce36747a1c9cec5001304c4a22c5e4214f2983f16c5ebdaf950595a46b5faaa217f7202d969fa98e3ad72c6d6baa358e149f65010d2a5942

    Download Submit