Overview

overview

7

Static

static

3

ad3f1ed38c...18.exe

windows7-x64

7

ad3f1ed38c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad3f1ed38cd9e5da7e14a04c08283bbb_JaffaCakes118.exe

  • Size

    236KB

  • MD5

    ad3f1ed38cd9e5da7e14a04c08283bbb

  • SHA1

    516847db83efa438aacb34e0a6448cc27e4e7e76

  • SHA256

    bba55a72f99eae89c8a0a56373b4cf5cf2e8e69f84f4375618583d17ce62d638

  • SHA512

    f097a3d96fe03cfab72d7aa345f31972aea1b76538aba43baa79d92ad16e689a5bb76f51dcba7a3b90457276bfb583e266a105a56789b0264c3b33730bd7c4af

  • SSDEEP

    6144:Yxr52xUHGLlK+VfeHnl6uFJER5Br9clu6JrcwjY:YRxHGLlKO2rFJER9u/mwc

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad3f1ed38cd9e5da7e14a04c08283bbb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad3f1ed38cd9e5da7e14a04c08283bbb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\krbEACC.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 152
      2⤵
      • Program crash
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a057764ea96e69644008ed94d4d5206c

    SHA1

    5de81f72894411a3378403859de76f2cd81eebac

    SHA256

    cd7ea0e979d6174f7b2e7294d341b98d5b349ea77a181721b65dd7a292a3e27d

    SHA512

    11325d3221f75612734012ae07c1517b394a6ded2e2eb593ac1d36c446343571a96a8067365f620eedf49169976752eb7398334842c1962549f6ca9cc1b35016

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3711fc884cabbebf4d6212f1d6a66b42

    SHA1

    118ccbb470463d1e0beaf329de5368cec10ddfa4

    SHA256

    45736c37955c715edb737a0989fa0e9dfcf1ffa7427a533fbac9d3992a1b5fb1

    SHA512

    968dd86e1564d5adbfaba4ee60b770941ad3e5ba22024cf01da2f94bb5cc0799dd617abe34642e1c315464795191209a188ec8d589baf23ebdc96dc8d358744c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    76ffbef372d657c6346907dc65b52bd7

    SHA1

    a246deafcbd0ecc3aac5dd42e9f13d1fc0b7d97b

    SHA256

    7fbc5411f4810a881b53ac36213a250652d63c179458cf353f8701bd5ee350f5

    SHA512

    a7bfadaf9e433ff98088e3558a1534efb2ca93c9b6de901c413781aea4d2e438d4c3fecfaa977818885aa16be21ea2ce2b0e209145fc32ea801c11cf6daac214

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    01a37d11cd4edbdb4a4ee5c7b5bffc93

    SHA1

    90a10792955f0a65752585c5f8f2e3d1ec230227

    SHA256

    e738062548cf54855c7dc45b99a1542917c1b2af98a4ddce5daecbd26bd96368

    SHA512

    978855674452aed475fe38b62494eb5bc95c2191b94afb28a5e95f984fb7e2ef034c25427a7aaf392188bea504d97b6977c61e849952bf1f09f8f37268a85c13

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5c8a6a00bb8032f20ada7913b5f43e64

    SHA1

    0bdc008ed4a29989cff6c8c88f62d450b411d575

    SHA256

    612edc360ea76fcf0ada3ba9bc7b6dd892a8c14114b723ee1f68eb24192070d5

    SHA512

    31cb6756cb85aec3826cab9f500334834e1870234281457693e73397facad09313a32a8474f974ac5fc1bb21b990584af99a720a7f510bb846dbffbcc5fc7914

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEA9F.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE58.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\krbEACC.bat
    Filesize

    188B

    MD5

    214e187c7b644b8c3313fb39a2c836b0

    SHA1

    94f79f05b0247cb0d4ffa7384105fb1d0701a5b4

    SHA256

    3610454b172516acfd57f2038ebea9c9566f50d434286d9ee32f3985f6718574

    SHA512

    de10adc00470889edc53b403d32c1edcaf8ff856f1710e0f5b56250260c22668b82f839e38a71826282a2455b9794c8c575e4247a97563c5e801f1ba182d0244

    Download Submit

  • \Users\Admin\AppData\Local\Temp\krbEACC.tmp
    Filesize

    104KB

    MD5

    9d68ef76b3943c5749c4f97e7aa4ebea

    SHA1

    3a2d9805af8e657824b1f4a5ebdd5282b06fccdc

    SHA256

    966db3224637c5434c21163c152f14ef7d5ede852e0beda045a9c1b0e537cab1

    SHA512

    518fd6a032da5154b9b1bc8ef80a73ff1281afce6b2b73cb49d44a733540337b69cbe9dd07e755c7db182794e5a546c81e93d9fbe8c289824389f3ee039f6150

    Download Submit