Overview

overview

10

Static

static

3

8ef7a77e32...18.exe

windows7-x64

10

8ef7a77e32...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12/08/2024, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ef7a77e3251843d5c483b4079c21239_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    8ef7a77e3251843d5c483b4079c21239

  • SHA1

    35b9eb0f9edca1ad25b817ac9ea3466c79700b98

  • SHA256

    82d30cbd2fa146dba047cc6db8621e6ca5e1c8458c8b38386e0d64674927bddc

  • SHA512

    5e1285f687856ea8f5dd60ceaa5561bb0c510d1a161ed9857cc52b07a6ba2ddff94efde49d4827352c6790e99683068acd1eedc64e2a8db7cf79b0c3780885bc

  • SSDEEP

    384:aS7e2bL8FmTZlnCZNsqd/rCHFuXybCMp9E5jrfSWoqXOXWP1KmWtgX:ayL8FmTZlC3fGSAEtrSWo1Ov

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ef7a77e3251843d5c483b4079c21239_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8ef7a77e3251843d5c483b4079c21239_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\72C0.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\72C0.tmp.bat
    Filesize

    207B

    MD5

    f8e69a836491e6cdc59f3c256f29e337

    SHA1

    04af7e9beddc5e775c7df720cb3f6fb0f5c85975

    SHA256

    e873ccbc9a228a86fb6913a5c6f3f30dc2ecbbf76c016e00123380f3a13e55b4

    SHA512

    5672da75a1dbd5e97bd2cd92438365c468b76f8d870c0aabe9f3be746342172c012f8bc22625117ea22b9e9e6441599dbaaa9630e666261cea555915fb876cf2

    Download Submit

  • C:\Windows\SysWOW64\myowoflu.nls
    Filesize

    428B

    MD5

    1d3759bf6bfcd56812d4c7a38fc230bd

    SHA1

    4ef68afd4bf5598e075cc604168f28706d4d2613

    SHA256

    c72245140d07bfeb3f4fde9f11c8662d840fe1ea49f750b86041696f609c1e60

    SHA512

    e2a46695431de487fbec0bb3c69c83d698f51422a8d3c015d57de81363e570869bfb7646b76b89df8657584476c844219fa838fae65525aaa0428620a5fb7dbe

    Download Submit

  • C:\Windows\SysWOW64\myowoflu.tmp
    Filesize

    2.3MB

    MD5

    69d925dc748774a364b2f8386b19a4f2

    SHA1

    4651ca62d95ad5fde233df1c9cb4b2a434665b8a

    SHA256

    9826bfb830300104c3aae87c73697766b81f4de4c42d1266576529eb38e5c019

    SHA512

    2127f584fb361b0b91d7551bb7c13e775cb52736045766039835b01fb9f8f317b8afc0095cf4e54e8ba5d753c6eca0e7eb780c51d7e332215f7148930622e9c3

    Download Submit

  • memory/2312-16-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2312-25-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download