Overview

overview

7

Static

static

3

b82d1cff5a...18.exe

windows7-x64

7

b82d1cff5a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 15:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe

  • Size

    383KB

  • MD5

    b82d1cff5aa85ebd804d927d80497198

  • SHA1

    fbedddc09a4289f7e71234a34994523d19dee6c5

  • SHA256

    bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c

  • SHA512

    44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a

  • SSDEEP

    6144:oo/MZP+H/3L56PEUzduvxw3gy8nQ7I2ToIk4ou1zCIufyRd1mJJ4HdRpyjsZ8Bz7:pE2HDGUvnu4You1nLRrY27pp

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\wninstal.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2980
  • C:\Windows\ddgop.exe
    C:\Windows\ddgop.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2056

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\ddgop.exe
            Filesize

            383KB

            MD5

            b82d1cff5aa85ebd804d927d80497198

            SHA1

            fbedddc09a4289f7e71234a34994523d19dee6c5

            SHA256

            bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c

            SHA512

            44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a

            Download Submit

          • C:\Windows\wninstal.bat
            Filesize

            218B

            MD5

            343b12223d2e03162a5334cce0a79d43

            SHA1

            f6c83adf3109dad858627b885b10bdea3822cdd1

            SHA256

            02af40c65ae92b280154b63e719af157aa27e475ddac5d9c66e912c49d6ce39c

            SHA512

            ac47008f9caa4f1d0cda934c6a6014e5a0054d215d32107980e6b1d2d583d26ce6031a051b61e31959d90af0533036a98724016ed6b10a2e66bd921c39ce7be5

            Download Submit

          • memory/3032-0-0x0000000000290000-0x0000000000291000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3032-13-0x0000000000400000-0x00000000004CA200-memory.dmp

            Filesize

            808KB

            Download

          • memory/3040-4-0x00000000004D0000-0x00000000004D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-15-0x0000000000400000-0x00000000004CA200-memory.dmp

            Filesize

            808KB

            Download