Overview

overview

10

Static

static

3

b2bd265005...18.exe

windows7-x64

10

b2bd265005...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 08:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b2bd265005c7318656307a55b005e4d1_JaffaCakes118.exe

  • Size

    224KB

  • MD5

    b2bd265005c7318656307a55b005e4d1

  • SHA1

    0f2bf92ebc8a134c13335bd6f09715271318b383

  • SHA256

    f9fcb5112308e703446c37291fe812b95b7b02166e18b4fac8615b3e586c64fd

  • SHA512

    087a5e57fa03ff49b7dce897060bd6abc810443423c4fd0b84bfc955e1b1dc06fcd7ccae5f2b3cbcd299376c1e7434a0757aa8b75a3cb1a693a73e53564bf727

  • SSDEEP

    6144:KtkEoAM4iYQqA46+wRIvgfTSA31jtLOLdA:66+YffT331FOLdA

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2bd265005c7318656307a55b005e4d1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b2bd265005c7318656307a55b005e4d1_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 332
      2⤵
      • Program crash
      PID:2612

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE
          Filesize

          19.9MB

          MD5

          c78407453a42c0da0102a3274b0b0052

          SHA1

          984c21fbbc6cadbb59ad60103ed5dc25cbf35344

          SHA256

          c41efccce230e1a89eefbb45c15f04a3dda41869fb6aab573c7026eb306d3f74

          SHA512

          9d3c5dd2b95e96d991a6615bf65ab4ca0caa44a20b2b953badc36afcf77b4197b1af27e83377eb98c64f72cf737e9ef97ba7d67aa1eec262120c9c8853593284

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE
          Filesize

          29.7MB

          MD5

          5d40c9bc846e2e5cac9ed41164bbae32

          SHA1

          49076eddd7af675c2f94329ecd195680ba3746f8

          SHA256

          eee4ccb6bd62d6d1445a94fbb90682362f8c034f5ec65725ecd87fa8ddc99193

          SHA512

          a83ab393d4d9b169fead6cbccb37843431cdf115c53abda9260747fb7683d0de1f2e597b6a80858f6967f2633b2cba73dfae77e41351b57bfd40c7a062300ff9

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE
          Filesize

          1.8MB

          MD5

          85e8617cf34710d3c14cdc6b9f992e19

          SHA1

          34c0080b80a48035daf97bec31dae8b3bf8a38e5

          SHA256

          89ecbc626466888e9cbec6642f37a754683868dcce77a60f4f26982cfc616345

          SHA512

          163be84953dc5dc8b066b51dc371df1ceafbddd7a9f47d565f4c3a63709a9706f9a2d2b3f41960b369bda4eb004e6d59bf58884b9d6e3525b894236111545dc2

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE
          Filesize

          13.5MB

          MD5

          c55fba422ec7d70ddc133458722a5525

          SHA1

          07fb3e55017cf29bf88a603e3fb412a2a29061dc

          SHA256

          19e5293553b88d0745997b9095723d6096174687fc52e84e2b2d0589dc9be6c8

          SHA512

          2c882c1a0c3fad34a31cf0f457b8ba032f46d6dc707a6f5f6b84c31a6b3caafb5cb8e431188c259679cb5d1a099580031b2635353353320f3eb807acba89f661

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE
          Filesize

          9.9MB

          MD5

          a1ade8c178f90b19d0b0818fbc17693d

          SHA1

          bef6e8b0855d2271f5a20428fc9419dbbc3ac6d2

          SHA256

          fbf0cf2c7e0148d066550448dd4aa907e8689997d45619e3bfc96829f5a06a13

          SHA512

          ea2fde7ca1167f2611229025885d1ef43c7c923c78dd707418230902ddca99af0169c656c1ba7daf2b9d7efee59154f58ccf7abf6ae561371425c00ab74c6b09

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE
          Filesize

          420KB

          MD5

          0bb7622730114d43ca14548b77db681e

          SHA1

          c5df36919b65cd0aa957a7beb5a89b4b9fb93cab

          SHA256

          2fc5b84be9198ef32cbb782beaf3b5dbb654c7de0e32735015ea15a9b2c144ee

          SHA512

          20ee80f65b5d3fb68150af5587ba552c4e9bd5e3061ae91806e9d5ce23118328b250fe2ea5db27ae8c3c479c872991587b985029e6183be76e29180c6f18c489

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE
          Filesize

          1.7MB

          MD5

          c06467a1bda7c365b859862d9ad3f879

          SHA1

          384d7a5ff3c2ee884aefc5643fd3599be144f981

          SHA256

          1c7546ce3ebddba027c546e3f10740f0dc71effe0169912931ef4e8170a3d22e

          SHA512

          70d64512488d71611dc60cb9ad8e779edef534ddc20065cef524a9e65f02e1c419ae980b8b24ac60a6adce1ed63f5fbb4347f2fd856675f4f18f804491c03602

          Download Submit

        • C:\PROGRA~2\MICROS~1\OFFICE14\OUTLOOK.EXE
          Filesize

          15.3MB

          MD5

          2a75755aff17704c5f739ffa8a53b101

          SHA1

          876b1d86c447634261b62fe0b9ffa3a94a4f67b4

          SHA256

          05d77c3877e741e6fa35e75f8180fa54b65f1a55d1d5f4946f997e8b753d0d1a

          SHA512

          d1371ba7766ef65b8b6077b0026f9e8e80faad41a57bc0e30235fd386d15f2cf3e791cf8f5cd48b149504bd113be521138630c943b82daa4b425b976c5c3acf1

          Download Submit

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          151KB

          MD5

          c4e532521f50a2baf9e6d1b6a5ea2573

          SHA1

          ad683ec2559bf7a7c8121e582b9374e5193ee06d

          SHA256

          3b1984b16f6785367943796db0e421ad52a4c7b95b911331e4717cb740c2a660

          SHA512

          53ad203b5b66b00468ba1f7d0410357d96a02051a94b1b99e581424d4792d6674c5734690653bf663cc606ca21a0f43a6eb6dbbe20bb7cdf9ea4892d6d0b3bc7

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          151KB

          MD5

          05ac5a895008df20d7167bf22fabfa77

          SHA1

          760ec7ad71d0df8e49a8deac44542e654dacaaea

          SHA256

          696714f8fe5f5b46d9664dc431579b18d377609aa245b6ed4d2f930ecf312e58

          SHA512

          b1334b14a0a7a3f3f988514dedfcb8f35588fcb71e64a2fba09e2508f82d9acb7e77320d6aef22be60db764772b12ea81e37190772d109d992eea911ed94e0a5

          Download Submit

        • \Users\tazebama.dl_
          Filesize

          151KB

          MD5

          eab51e67de6eddb303ec6ab35b9399a0

          SHA1

          bd9ad7f2fcbb17678068b65c23b8936f1ed14ca0

          SHA256

          c7b12d5a58483f96bbf20e0390cce19971b7b2ed7dc439f27c0e98a09b8b4ea7

          SHA512

          eeabb7a69fa699869fd37c2932a08a3cb399232b8e2d155d8621ecd473fd4f2aca722b103e03a4637a46704832574b38e1755f0b2edb5e9b65ab30fd51d705b8

          Download Submit

        • \Users\tazebama.dll
          Filesize

          32KB

          MD5

          b6a03576e595afacb37ada2f1d5a0529

          SHA1

          d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

          SHA256

          1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

          SHA512

          181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

          Download Submit

        • memory/2168-56-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-11-0x0000000000220000-0x0000000000236000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-0-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-12-0x0000000000220000-0x0000000000236000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-13-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2408-73-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-74-0x0000000000220000-0x0000000000236000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2408-75-0x0000000000220000-0x0000000000236000-memory.dmp

          Filesize

          88KB

          Download