Overview

overview

8

Static

static

3

a48ce54381...18.exe

windows7-x64

8

a48ce54381...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a48ce5438105cf62197d7347a571338d_JaffaCakes118.exe

  • Size

    111KB

  • MD5

    a48ce5438105cf62197d7347a571338d

  • SHA1

    3e3c6b1dda526413d0b56d058cb01660ccb5e750

  • SHA256

    6264e95e9124567cc7368a6420759fc15bac4b52d0babaee3ece46bf592cb597

  • SHA512

    e2a1d6df9ccf80a1ada60046a76d2748b5f88cfe6596127dfaa633e12055d4dbcd72e165f1a03f41fdd739e0c1192f9410c05f1ede66c06b92279d32b7bbd827

  • SSDEEP

    3072:8ClbnA+uZMSie/IdG8xAh5BPnnvbOm+tBjQehgCKs2MC:8GbnA+uZMS1IdG8xAhzXKnXQuXKs2P

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a48ce5438105cf62197d7347a571338d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a48ce5438105cf62197d7347a571338d_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im ZhuDongFangYu.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\MyInformations.ini
    Filesize

    345B

    MD5

    513b721d4142399189cbc7b9916b7a25

    SHA1

    f7c9252c44a890a61a9c0b448940a2663edcb403

    SHA256

    5c9d7cb59f1a5345bf80fbb578847c2a921f781d12a58df097f8f4db7ca5bd8a

    SHA512

    5dd32fc9e2219c314ad65665fd9e766c0a0e6c83eba49144fa2cb71cc0a0a99fc13f019854f331799a0f3ea09f308eb4f6e2258c80432847fbb9dee42e1c9ff3

    Download Submit

  • \??\c:\windows\SysWOW64\gj.dll
    Filesize

    94KB

    MD5

    3cc1a18f670dda332c98816a1ee5d8db

    SHA1

    156c4ce53f72b70c52ff45ccbe627aa9f596f286

    SHA256

    5d78e8b3b091719965b0929e2dc0f74f2cd8625933274a4efcf22fb61dfc27ee

    SHA512

    b3358538af0cce9f6a59ae81ae6d90cd8bf1ce04cb6e22a5a6c18fdd96df220fcdeacf96de1b9450b0972c3c05be9c2f583fd0180b68f89dd0f534ffd1bfed1a

    Download Submit

  • memory/448-23-0x0000000010000000-0x000000001001A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/448-24-0x0000000010000000-0x000000001001A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3016-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3016-22-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download