Overview

overview

10

Static

static

3

b1e8eddbf1...18.exe

windows7-x64

10

b1e8eddbf1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1e8eddbf1eecdb137b196bc10710403_JaffaCakes118.exe

  • Size

    12KB

  • MD5

    b1e8eddbf1eecdb137b196bc10710403

  • SHA1

    500d18d366c4d96075c202d93c2230c62d2c09c5

  • SHA256

    f6ec536c660d9c7907d44b6c8dd4c0c2f636aa58acd797951e8b21a1672557ba

  • SHA512

    bbafb371dad4652ef9c25f6cda20996fc1980e4ae66c4033c3c3887e2bc9e7222190c465725d1dc49924429c97ecd1e7d3eef651c691454d94d22045db98aa53

  • SSDEEP

    384:ZDPAO2kfWptEcH4nDl/MNq3Z9tA1UWVQvXj+GVAY:1P5P6EbMNq3Z9qUWMXKGR

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1e8eddbf1eecdb137b196bc10710403_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b1e8eddbf1eecdb137b196bc10710403_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\F1E2.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F1E2.tmp.bat
    Filesize

    207B

    MD5

    dc25328c725b8090c757af3f5f554f4d

    SHA1

    0b233655dcf77f07df6f2dc7169acf1702033852

    SHA256

    b88ae29ed622534d73c8c6bd269b2c29e61be68f2347c8828a0bfdebfec42027

    SHA512

    d2279f436d49cfa797368644f06a7eb6a303a5b56c8013c833c329c9f668cf2e54dc6ef4e4e16b3d98ef163e4145129ca41a9a46309c001e3c857aa730585724

    Download Submit

  • C:\Windows\SysWOW64\comuidsg.nls
    Filesize

    428B

    MD5

    39107c997cb2a99d7c9f04ec151bbd4e

    SHA1

    e5a7230cda8212de96a2d83b54908bb5ccc31d82

    SHA256

    ee5f8d09e0b59a3a33e033533b0f9dee588b5d2af477d50ab4c0b418cf158f93

    SHA512

    16f889f9a7ea7f578289d71043092c1d8f1f7d00d9770e5bcbd68aaee2f03ce796ec464952a92c83ef1d6b39c9c731efeb51c94ce427e777a7548de8a8eeb798

    Download Submit

  • C:\Windows\SysWOW64\comuidsg.tmp
    Filesize

    644KB

    MD5

    01068cb398b1d1a93bc84963a1f2875f

    SHA1

    fc066ca5e9f4b7fb32cccb347f28b33bd71fd73c

    SHA256

    d20f75d534f008436166c3a7c4991f69cfa4e305675b34731bfbae9c49bd7b0f

    SHA512

    50d668e67bfcf1e211d71f92aaeea2a39b06a8e82155b26a73820017a5157b13215df85015a540c28153246917cfc33f49cc23737a6f81981b53213e14d8c7c7

    Download Submit

  • memory/3708-17-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3708-21-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download