Overview

overview

7

Static

static

3

8dbf8f1d5a...18.exe

windows7-x64

7

8dbf8f1d5a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe

  • Size

    102KB

  • MD5

    8dbf8f1d5aea16a940a6d8d1de03c945

  • SHA1

    f0fdda337b3f9e414ed4b84a8af54c07209ccea5

  • SHA256

    fd434f3356c0d62c06f6aced1623dc7daac90a8f78b21455f2ef559e1b039410

  • SHA512

    0b001aeed21ae2ee2a355bc912c2d0bcf8a709584b08e3fdc41b84332b6311ea4dcf12abfae14237d00ff52f42c65304a14982b74396988898c8edbbd27d36e3

  • SSDEEP

    3072:zftffjmNoxlfP2d67tPmFsp2MdYDluW1Sgs10MtNXFokMDvi:DVfjmNn/6EluW1Psv

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C01.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:1296
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4276
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4380
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      d266bf36f1ce0dcfa79f3a7e8daae38a

      SHA1

      c463ca34c2f1434e827d6f855d7ab144630f8b88

      SHA256

      de500a2e97e8f587bf574e809590af24e53c18ea77012335740340d0bbd7c267

      SHA512

      fe37f23a33116b4325004e40a40990fced5e7e7d925f9a8bd2279b3f4995d5080fc1b876d332eac260d2c3a4d0c8ad631f3e045300245475b290d5dfac810911

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      2e0e37544c0d434093d63e04a4602859

      SHA1

      312703a46b2936810047db3cd5b1f45bb337a57c

      SHA256

      8a44e191d00efe3ccf65fb2a4ebef7ce273c691d93d3df9d9de5ee371441ea58

      SHA512

      3728f0cb00ebad8473723478aa033571bd4b482fdc8b043a30f65ae99a69cfc7c612d66180b7b13ef69bc49c5b1b01a2af8797560bfe251e1f578f5b767687ab

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      7c0581e2c34a99e0e6b7b63deb7540d8

      SHA1

      2ad688b178321284f2eab56ad02ef1d32e7ea46f

      SHA256

      200d8896a4cf3d442567696ff425b2aeca8b87428173337c4f5b9022ae0d6ab0

      SHA512

      4e65033131dd98ef1eb39d5da1c3a92b8d4c3ca083edb3db7bf9f555e57285f9f5c63bdc4d24cc5aa63312edd216ebc74c0a7f74ed38783e27998a2c013a496e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9C01.bat
      Filesize

      614B

      MD5

      e86a2defef2459ffec5a8b1f4442d7c2

      SHA1

      1dea36d5142b9eb3a0292be74ad4a88b57283d50

      SHA256

      cc2539fad16b18da41f8b60635619d844093d2138d5f1ef4f1367f7ea65b5244

      SHA512

      e9e88ebbd40489c724d6128646d60450bbfe4d3002b1eda8c3c28e47bbda0f329cc7d6b820d65be169809b633d5ab3afae1c867b19dd0e5cc50263899ee924b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe.exe
      Filesize

      76KB

      MD5

      ab74aa8defc1ca82759788a55b673629

      SHA1

      64eaa5f6cc51635124674c4439ac34f7dd46bc13

      SHA256

      f6888f5a134294c2ed1be85357f1a7bf2eee9653251aa63271bb6e570caffc6a

      SHA512

      b54507a8d5086eb293bdc452b131cab1e5f3d9c92429b5d22ed82ff14386038eb903d1babdea95c16134771906329f40fcfbf3aad4b7fccddd0a417b147718b3

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      5d629e10931355c7c3664661f02486b8

      SHA1

      4ee30faf056a32b6f83fa902f7b68d9ffd9c0de1

      SHA256

      5ef46780ddef96df9b110efb96209c85b898b54584af78bacd6986c5c5be15ab

      SHA512

      98a82ec1dbe3b3ac7b8751334e24a9952b30b5672d7c767116fbd0bf5728ee70eb6fab73ac9ae0c1b66bf537f03a37c8354534743102a0b29d8f55032c340bfa

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini
      Filesize

      9B

      MD5

      1d7eff79e14bea77e992f25202a6decc

      SHA1

      2481953494e9f17a5d9c8186bac1e89c460da06b

      SHA256

      0bc3f26881fb44793cd3a989e616ce2b45848152d57eb4a38fd5f06df63f0a9a

      SHA512

      e9cffe2ce1cc689a1a0c9bee4da9e0ab90625931729257893780b13eb9060ee26bf373c87c0ae33e3fcdc3e8614d415ac00fe57fd7f1fb4908212cc145c8d9ad

      Download Submit

    • memory/1840-10-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1840-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-27-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-37-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-34-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-1234-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-20-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-4792-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-11-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4276-5237-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download