Overview

overview

7

Static

static

3

a0ab970a1b...18.exe

windows7-x64

7

a0ab970a1b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 01:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a0ab970a1bb1b6b94ec02cfa8b7f2c4f_JaffaCakes118.exe

  • Size

    123KB

  • MD5

    a0ab970a1bb1b6b94ec02cfa8b7f2c4f

  • SHA1

    2da435364f04be5956b20b37a65ef5c3dc041f4b

  • SHA256

    468a62e34708d2d6a507a9f250a7947097a96c27113448c8dffcba8bc1f8733b

  • SHA512

    7b60c80ccc668224c5492b824fee846e885cef134074c8af7b122d079ba1d8ed7b81dafded81c01e09fa22ac0a3c035dc3344ed1c7d81a1a492d5a6bcebb99fb

  • SSDEEP

    3072:STAYF+lR7g62l6KzaJ9BIOWT/iJaH7Ph6+gKRIXmdDI+3c:OAYA7gQB1WCK7PGybc

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0ab970a1bb1b6b94ec02cfa8b7f2c4f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0ab970a1bb1b6b94ec02cfa8b7f2c4f_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\1.exe
      "C:\Windows\1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 36
        3⤵
        • Program crash
        PID:2764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\1.exe
          Filesize

          113KB

          MD5

          3360dc110eab4d9b98316ed4dd81735c

          SHA1

          35249b8eb6f71bbf1608400d9468e5cafcf0c3b8

          SHA256

          d568d75a803f6e10abe9b1daca7c999c11f95cef38ba29b7f3cee6f603efd51b

          SHA512

          d08e61639e99cbb45739e0ccb5f7257715cae015e4a48d87df73642f41baf48f49ca2f41419ff76273503de89dde2e8b0d3998e0cfb0e03d3a02b42c6b0bd97f

          Download Submit

        • memory/2752-10-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2884-0-0x0000000000400000-0x0000000000421200-memory.dmp

          Filesize

          132KB

          Download

        • memory/2884-8-0x00000000028F0000-0x000000000293E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2884-7-0x00000000028F0000-0x000000000293E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2884-11-0x0000000000400000-0x0000000000421200-memory.dmp

          Filesize

          132KB

          Download