Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 20:53

General

  • Target

    b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe

  • Size

    22KB

  • MD5

    b501aba04c3b15988a4b6c7402b005bb

  • SHA1

    37c735bb479a37db922ee73306ec4d6bbb802c37

  • SHA256

    72c787288d5592cc86f7a6556042a2da1059925682c7c10dd7c05000da453e39

  • SHA512

    4621311fa46dffd24793b568476a5a3041b1e1bc89f3a5e5f8fc8dcd3cf825331b58424d44780c54367b5beb746f87e0e9577125acc97fcb34978f7f27e1ef9b

  • SSDEEP

    384:IDD2TOgvcVuoA19Ai0eVwkxiz7eqoeNM6KMaHVya4eYnq+GpzHtpPKF3:MXuoAzrDqoB4fIpzNpPK

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\Fonts\system
      C:\Windows\Fonts\system
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      PID:2388
    • C:\Windows\Fonts\alg.exe
      C:\Windows\Fonts\alg.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2888
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\DEL.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2316

Network

    No results found
  • 10.127.0.0:445
    alg.exe
    152 B
    3
  • 10.127.0.1:445
    alg.exe
    152 B
    3
  • 10.127.0.2:445
    alg.exe
    152 B
    3
  • 10.127.0.3:445
    alg.exe
    152 B
    3
  • 10.127.0.4:445
    alg.exe
    152 B
    3
  • 10.127.0.5:445
    alg.exe
    152 B
    3
  • 10.127.0.6:445
    alg.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\DEL.bat

    Filesize

    210B

    MD5

    5cca959dd0ede7d95eaf90989090d441

    SHA1

    8bfb333bbbda4b8a1de03edf441c48fcfa65b906

    SHA256

    a4d3dab539b9e0aad2a76de04637fc4cf68fac6a57414f5ecbc197aa1c6bd6df

    SHA512

    db02faad4b95f1ae517220330ec2a14c746ba38a87a1700ce92dac04b03bca6f89e21735b3395a1e3c3ce6834fc3b97e371e0fa254bf71495773258e1f996b09

  • \Windows\Fonts\alg.exe

    Filesize

    5KB

    MD5

    05c250f63cb268896a4dd1f9386ca6cd

    SHA1

    49562782fa486ba07e8e713c6c3ad8eac0a9417a

    SHA256

    f9f250b8a95fe2ad6831a4fc27a10fddca15b6cedcfb3a1c48823f88fdfbf526

    SHA512

    49e41ab0dd01f096b07b1fe95664f3403b429cad14a70befd219e9641b16c2095120347225844e303490ad12b757140a48c1a1d3d7282742ebcde438d5d047be

  • \Windows\Fonts\system

    Filesize

    1KB

    MD5

    93e9952ae2d7a02605cb27775c6714c1

    SHA1

    9d994b2f93feebeb2002d726255d3557188a66f4

    SHA256

    e4eb382194c025a1ba434bece51041457bd3f9980a817f7540982cde8c93e751

    SHA512

    41bedcf547f134719676327cfeff324e48a7830df97811a0b9ca332ce04f233e0e50fb53387d340386aa4441eff65a1e6d20d46762bef3c6ecb28cd47ffd16a4

  • \Windows\SysWOW64\fuzdsp.dll

    Filesize

    19KB

    MD5

    66f43d666183c55b44fdfe41ce1783e2

    SHA1

    a8b1df0a70ff55fd5463eed24da1c27a58f48e11

    SHA256

    ad3c0db189642952cf4c940a2cc2cacde2025b33f9ad9a10075fd14e255a304c

    SHA512

    5a57f8125b910e79693fde08c3383fb790f0c3cb3a4fa65236fd7e75ae632a881127c010489592343d4d02ae6b6827cc02cee6eea55cccc55a6044b2d7370b2c

  • memory/2684-34-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2684-20-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2684-33-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2684-36-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2684-38-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2684-40-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2684-42-0x0000000000020000-0x000000000002A000-memory.dmp

    Filesize

    40KB

  • memory/2912-31-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2912-19-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2912-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.