Overview

overview

10

Static

static

3

a50161c692...18.exe

windows7-x64

10

a50161c692...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a50161c692176881f278e845982bfc9b_JaffaCakes118.exe

  • Size

    233KB

  • MD5

    a50161c692176881f278e845982bfc9b

  • SHA1

    009b7179b030277ed276ddc71990f50ee4f91db3

  • SHA256

    96acee8598de8b9e84b407d971bbb4c1f60aead6135e509a3c79ab5e8aa2726a

  • SHA512

    3daa0057cc89f301380e51b9d2d80589f59fe6935865ced2979c796fa274123bb93e25274e70ec325d712ef71a73a7a64374c49c2903c05ae1db282d1a014596

  • SSDEEP

    6144:VNSDyeRO1thpBu6ZGGexdkXJhT0PmJVGEvjDx7p:/SDy/1tjwxdkXJZ0mJl7p

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a50161c692176881f278e845982bfc9b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a50161c692176881f278e845982bfc9b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\tazebama.dl_
    Filesize

    164KB

    MD5

    27d39f9bf3b7c4a9b52e243ac0da1905

    SHA1

    bd7f91d2068b592076319c014048c973a64d0de8

    SHA256

    53918ff27bbf926fc8c103443f1493441c12381b2069da9c77efdec4304aaf3d

    SHA512

    a57860dff6696525658d0fb4b6870f4ebe9d0ce87636e6ba34034667369a5ac38f13b0f787c76db73eca7559ba8cb750d6258ca32a189e4c7def4c345fd35023

    Download Submit

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    84KB

    MD5

    0be55707ec00d8df7ad86b6392ae8440

    SHA1

    fb367e65eb2161bf9fea64e1dcd9c73510ecd094

    SHA256

    cfce2913210972ddef8fd7242a72de4a7a8157b978d109516a0ab32e4aee0598

    SHA512

    1bd7a672607edf189b91ac9c724742e956ae1f541fcc0c648954fc48224355fc2454d44174cea1bc322810d23a32cc16569476ea8b323a0c1ef5d900a2606812

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    164KB

    MD5

    80fb850473644dbbcf8d365cb7c77dcb

    SHA1

    723245d5fe6536ac34231aedd26d8aa805483775

    SHA256

    a110be92f6628bad7c8d2fafaae0ffc1d3246917648f7fe02ecce59ec77a38b1

    SHA512

    d78dde1bede529c1c1ee77ee266f316f9af278b4973079782d817e18e90ca6a762cd6ba5a01dc0fae766c031da75a9d7583d0df3144420cca7f93204ab33252a

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/2552-14-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-13-0x0000000001006000-0x0000000001012000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2552-0-0x0000000001000000-0x0000000001014000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2552-12-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-6-0x0000000001000000-0x0000000001014000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2552-47-0x0000000001006000-0x0000000001012000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2552-48-0x0000000001000000-0x0000000001014000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2552-49-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-50-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2908-16-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2908-46-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download