Overview

overview

7

Static

static

3

a2617801dc...18.exe

windows7-x64

7

a2617801dc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 11:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a2617801dcc538daf32a840b74bbfa94_JaffaCakes118.exe

  • Size

    99KB

  • MD5

    a2617801dcc538daf32a840b74bbfa94

  • SHA1

    3b33ad156291a465c849e70b7231068342d4ccaf

  • SHA256

    ddafb17dd38eb20e54b727a1c17c659d6130ee14e8a3fa952f18c43f47a47cbf

  • SHA512

    6b1d2596662d61ab451aa45f1aca6e8f5b34802bee334c2fc8b1a0ca5c87ff4804b36023efa27bceedfb973b634c5d961f9ecec9f9b07b227d7bf2a48faca396

  • SSDEEP

    1536:lVq+QT183XZnxaK42eU9fhlR7zDefWpqFQJcNC0mevWxvm7ncgHcxKo9:JW+HyKJect7zDefpGc8C+RinX8xKo9

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2617801dcc538daf32a840b74bbfa94_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a2617801dcc538daf32a840b74bbfa94_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\SysWOW64\intenat.exe
      C:\Windows\system32\intenat.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 380
        3⤵
        • Program crash
        PID:1744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 500
        3⤵
        • Program crash
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3976 -ip 3976
    1⤵
      PID:3616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3976 -ip 3976
      1⤵
        PID:704

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\Deleteme.bat
              Filesize

              147B

              MD5

              3304d8fd05459371c460043cc5287f4d

              SHA1

              7fec4138b6ef26df569ea0d5665414f7e753d80d

              SHA256

              7766a04241de4f883929e3d6f65b13cccf8cfe50546606e7370ff9aa3804eafd

              SHA512

              a5fc94407423c72242b07373db6e54aecc67bad3f3d902d390fa6886f6964d2419d23a1e0338917318b8928860d71685da4bdc76b6b28ab3a3105c1a58ba4dcd

              Download Submit

            • C:\Windows\SysWOW64\intenat.exe
              Filesize

              99KB

              MD5

              a2617801dcc538daf32a840b74bbfa94

              SHA1

              3b33ad156291a465c849e70b7231068342d4ccaf

              SHA256

              ddafb17dd38eb20e54b727a1c17c659d6130ee14e8a3fa952f18c43f47a47cbf

              SHA512

              6b1d2596662d61ab451aa45f1aca6e8f5b34802bee334c2fc8b1a0ca5c87ff4804b36023efa27bceedfb973b634c5d961f9ecec9f9b07b227d7bf2a48faca396

              Download Submit

            • C:\Windows\SysWOW64\key.dll
              Filesize

              43KB

              MD5

              62b93a4c9ace301a4d1b45ad6c234568

              SHA1

              fe96bd64dd5c68c932b8dcabb1b8e49a4dcb65bb

              SHA256

              b9148170439c13315a53863b131791993c09647206e7914b4cf4a6cae01f45b1

              SHA512

              dc8bf4251b139de03e9026b4fd253aef97044c45b15911fcaeb14fe396f0f75870c831aadef60225c94ed521ea016011aebd0b2a6727f2f296e25aebb91d19c2

              Download Submit

            • memory/3976-9-0x0000000000580000-0x000000000058F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/3976-14-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4396-12-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download