Overview

overview

8

Static

static

3

b0c64a19d2...18.exe

windows7-x64

8

b0c64a19d2...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0c64a19d28e4124429813e6a61b3dd9_JaffaCakes118.exe

  • Size

    26KB

  • MD5

    b0c64a19d28e4124429813e6a61b3dd9

  • SHA1

    84c71dc44384d1b69ef9c60e329105f4bf6b8045

  • SHA256

    120078cded95a2ece7225460897044303a8a74b1402520d1b3ad54b2c18191f3

  • SHA512

    f1559b642acd0a2d44dd5560e1b802fa645fe974d43d0b9929aa27a28a2f140a004f60b1f66c37b102dba5446344ee954ea225c070c3e6c58ae833bdc5460b83

  • SSDEEP

    768:gX/3WaoKc9CD4KESGBP96poMUx0yjnKF:gX/GaoKUFTBspg0h

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\b0c64a19d28e4124429813e6a61b3dd9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\b0c64a19d28e4124429813e6a61b3dd9_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 260
          3⤵
          • Program crash
          PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\SysWOW64\Advapi32.test
      Filesize

      625KB

      MD5

      95e2376b3323f062eb562b8586d0f14a

      SHA1

      453d4c3bf4a489433b593420a37bbffb7749875a

      SHA256

      bd3fa8750123d00aa0967fba44372c46ea002681da9c9b77a4f9261553e26017

      SHA512

      b898603d07a49237e4dfc6872d5caa7616bae1258926f10e66c4d3f0d81cccefac1e844395b65bb1f308fbc022061b52e51f60658d0a546c04b365b3428cc87d

      Download Submit

    • memory/1204-16-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

      Filesize

      4KB

      Download