Overview

overview

10

Static

static

3

a76cc16909...18.exe

windows7-x64

10

a76cc16909...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a76cc16909af08295b54cbb2d7c85ce3_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    a76cc16909af08295b54cbb2d7c85ce3

  • SHA1

    88e05e4cb13a7fb5d958be6169e4a71ef1319c2e

  • SHA256

    906da4f9c9c364515611b5bed1b9483076aa51089b1f240b7fca7eafc8d51573

  • SHA512

    2402a046edcb29476f96cad38cf675c4ba3d97649c2d41729d4e45205d36f7b853c711b7be4911a4ac44a26713759c723e8167aa0695070bf1155546265d54b8

  • SSDEEP

    3072:XiHOgk1pHpPZkUjWVzplLS7DI3q7SuVq1AX+DQX2BC1DtPbUgVWzK7oknwo+B:uOgIPZk1VzplLvU6AX+DQX2B8hb2zfks

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a76cc16909af08295b54cbb2d7c85ce3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a76cc16909af08295b54cbb2d7c85ce3_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      52227803f26b1d23c02335f7e83c1fa9

      SHA1

      bd888780c3e7feb63ce54b56d23c4661a98489e8

      SHA256

      dbf76edd021aea3c29860d501778cb4354718e42b4461b3a5cf91569157094fa

      SHA512

      db097fee92c561110bcd4fa5d305bd3b08e98b9eea0b87c87b3977880a61264de9fb9cbb53d7e2fb5af2ff10539e77ed6f24f946abc2e88dd58afe3694198d46

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      a1be19b7ca931be040f06a54779d1684

      SHA1

      86fe1776ff05540ca289dceb3830ea36dec3bd0c

      SHA256

      8907e55c940094b0d0c9c90ab8c0450a4fc3dbeb1db380d7844627b68044fa0c

      SHA512

      881edba87d6f6a7824a5e667bba6a3671978797c605a3dd2ac601c26295358d879fd701cbca78440280611811a4455c169d505c25cc5622ccc361170e5197741

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      152KB

      MD5

      7f564c9a1aef03437fc6770e8c00d852

      SHA1

      c9e6db8f1c3f8c5c4ecd738f05a21a4c85c33f53

      SHA256

      12b93f5897857628e55d1588f3e450a032624c409f19cf1fc00ba5076ff09e15

      SHA512

      a6399f68d7fd847bf2825ac6f07903814e3e6771c88514209990ab3bf9fc53fc05d39fac6a877bfb8a0e6cfe25211e9774b01d3eb9a46e206c3871f14022c7b5

      Download Submit

    • memory/1820-27-0x000000002F461000-0x000000002F462000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1820-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1820-32-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1820-34-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1820-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2152-30-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download