Overview

overview

7

Static

static

3

b946ffde59...18.exe

windows7-x64

7

b946ffde59...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b946ffde591c2d70e555a9b00b9a8dce_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    b946ffde591c2d70e555a9b00b9a8dce

  • SHA1

    75144d53d14e2057e8e1754c79d3316ed54db3e5

  • SHA256

    021b08b128e55914f9f15b6f651b883fb46dc8fade96aefc78dc83ce62772f7c

  • SHA512

    34ef57f07edfa5a7eaab768a356a53f845d1c2616b09a1916d60dfd93a7f852559be3a9e4a3a82f3796f2f8badb09860406f6195e6fd85f71b5337ce03c6613e

  • SSDEEP

    3072:Knj9jtfU+INndIc0Jm5lz8BJVw4RajCtQtSNXx6+9sRYkEP3l8X0SX2dBE/Qz:KjbeiXVwrCyANXQ+9sRYfP18X0I2dL

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b946ffde591c2d70e555a9b00b9a8dce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b946ffde591c2d70e555a9b00b9a8dce_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serveur.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serveur.exe
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serveur.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serveur.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\serveur.exe.log
    Filesize

    485B

    MD5

    68d66c3ee003384f5ea5fd6bd3dfcdd0

    SHA1

    eef79b09bea7f0b79179128109622bf46cfc62cf

    SHA256

    e870623c86102754d1a1df3397392f3fb8453f9850dd7c57977aa1e67ccf719c

    SHA512

    76ffdbe92debbde9b07eb6958ebc2578f4f5095a1f0f8b483542288f1c0d778c17e92e9aa18bb65faa90461810f2156b11c69b1614702315023be6a11686e75a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serveur.exe
    Filesize

    194KB

    MD5

    0e2cfcd1c6d43e924aac1297da7b93d3

    SHA1

    a51eaece3a9a305d34e4ca6ac2d757a385302f3c

    SHA256

    284fe4a8bf4d940fe7d44962365ec127663cdf81a6712cd084d1b80a45f694ed

    SHA512

    916a162dae898e331acd13661674ece8356741c10c45d541c47cbaac81a8d928b0cfbef06f76587addec4fc293d96ed740f4f11ddf7ff7dfec4f597e887c9f25

    Download Submit

  • memory/2960-5-0x00000000741F2000-0x00000000741F3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-6-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2960-7-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2960-11-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-14-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-15-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-16-0x00000000741F0000-0x00000000747A1000-memory.dmp

    Filesize

    5.7MB

    Download