Overview

overview

10

Static

static

3

af638f3945...18.exe

windows7-x64

10

af638f3945...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af638f39457038101334ca66f1abd290_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    af638f39457038101334ca66f1abd290

  • SHA1

    73165c8afe8dafcc157a3854756193a002193c14

  • SHA256

    673b3e919c14fcbcd496957611f62ddc6c685507436ba12388daaddbffe3d856

  • SHA512

    c21f3bdf58fd381e25493a19213f24c382b19767820691339919e7fd594014c294ccf8e81914fff56a78d26217bb133d9a0debcbf31c621128e9fadccfc8f9b8

  • SSDEEP

    1536:PRQBHDf6cO/hj0dkGulSc16l6u+NMMl/KlYv1Tq5ThF6NIjP:4Yhjflu8CFF6CP

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af638f39457038101334ca66f1abd290_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af638f39457038101334ca66f1abd290_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Users\Admin\lfciod.exe
      "C:\Users\Admin\lfciod.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\lfciod.exe
    Filesize

    96KB

    MD5

    c4775cab9e30f8bfaa2c7a4d2749277a

    SHA1

    fa11470da34a88d514ff1c79866a60f1663c5311

    SHA256

    df85746eafee01f0b3a15c9f7aa251c2c045298d375edbe5938e3ee274c31312

    SHA512

    bc14eda6c54f0cf2589f089ce7a0f30d90c4f0de6d106869303895b48de6113f8254dcc053a49ba61fa720dcf55ce52ece1b27f2fc38977162e5818e1cee036f

    Download Submit