Overview

overview

7

Static

static

3

a6f25dca32...18.exe

windows7-x64

7

a6f25dca32...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6f25dca320b6db51b4fcbd0f74b5b71_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    a6f25dca320b6db51b4fcbd0f74b5b71

  • SHA1

    da0824439eccac518ef6361078b261002e5f5423

  • SHA256

    dbb03f04266a0aeedab6ee95f5159f91cb277f17e65cc3467b390222e654bdad

  • SHA512

    96dd302f72a12b795ea4827bde7f6cb1edcfb9f97fd5b2e3072c33b2d992105124aaceb37ae930f413d6503bf8b9b03405fbcaffaa4b18fb2e432f3439fd6994

  • SSDEEP

    24576:85QIzHyuhiDyrPZ8MU4ufxdW5A2mJr/kNHvQIkdh3YPT:85p6iPZA4hmp/j5Yb

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6f25dca320b6db51b4fcbd0f74b5b71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a6f25dca320b6db51b4fcbd0f74b5b71_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\3389.exe
      "C:\Users\Admin\AppData\Local\Temp\3389.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\61642520.BAT
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2836
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:1932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\adsl.exe.lnk
      Filesize

      289B

      MD5

      b45a12823d2168ce75291ea6e7ad5dc7

      SHA1

      03f3c4793e4f11e74b456bfec377dc1ed56f5fe0

      SHA256

      82f6903c937a5a14eb10277397eb705f44c0782ee268e3ba5200405a189970f8

      SHA512

      5d5a6258e2a908ca9fce3c134d70fe870cf6e635d408abaa3dc11ae9ad84ee5a068632d6c684e3dc4414c095dc7cac658048b5433e7b9e20fd320bc2be3a4617

      Download Submit

    • C:\Windows\61642520.BAT
      Filesize

      134B

      MD5

      441d37de5dd2d9e0e29fedf40f840628

      SHA1

      81bc144ca1e5e94eac95bf0a208a7e2de681dfd4

      SHA256

      6311ed8573ad1d14ce66b05c05409b877097992870de99578223b54f4d28f717

      SHA512

      a42cf38bae22f331b04668365adc9bbc272a879cf3b73c528fc015ccd4b3670a82645a80707e01b5b76b701d86b96084978a5ad3cbcbfa74dc79e816454c1bf4

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3389.exe
      Filesize

      746KB

      MD5

      d940a31e325889e91f52cf1dc8bca302

      SHA1

      e7bcf4f9ff25608d4524fc7711d1e938631e25c6

      SHA256

      5fedb4d0f4a1871b593967e725e775c29f573bf89a5dd1fae5dfb4916bc11c01

      SHA512

      e4ae50614d33db83bf8fd4534c60372ff0afbcedb52d2080332a4fd22fa661b2816469ed9a58df887bcde30211d9ca21a66e567b4e4fad00a1bdaf92d817bcfe

      Download Submit

    • memory/1180-19-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/1180-34-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/2220-0-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-18-0x0000000002F50000-0x0000000003012000-memory.dmp

      Filesize

      776KB

      Download

    • memory/2220-17-0x0000000000400000-0x0000000000494000-memory.dmp

      Filesize

      592KB

      Download

    • memory/2916-24-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/2916-36-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/2916-40-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download