Overview

overview

7

Static

static

3

ba65c8a4f1...18.exe

windows7-x64

7

ba65c8a4f1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba65c8a4f16969465a5b11137aca884e_JaffaCakes118.exe

  • Size

    206KB

  • MD5

    ba65c8a4f16969465a5b11137aca884e

  • SHA1

    f4064e93eb02d748a9aa5031fb1a0f9602ef1ab4

  • SHA256

    238a3fec331af1e7ef2db4dac68d05e28eaa6236f88d02caf47fb0c7c8392514

  • SHA512

    405a7537f0f03fec94298dfe5ad048b39ed1d943ddb8b2bc689ebc33b9117f0bd453f90b78b2cf5c854e7af1a15dac35d3d577d03b0cc574dd35b80c53b0349d

  • SSDEEP

    3072:r8pIZRtf4rG+g+H45EoTLZ19grIkrtT8YBKBJvgsZaSUc8Y6YqJxabBFZG:r5XQy+miA9grIkZgYBKvvvZME68bBFM

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:868
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\ba65c8a4f16969465a5b11137aca884e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ba65c8a4f16969465a5b11137aca884e_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\system32\consrv.dll
      Filesize

      52KB

      MD5

      6bf2039986af96d98e08824ac6c383fd

      SHA1

      0bb6384656a96943cb427baa92446f987219a02e

      SHA256

      a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

      SHA512

      fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

      Download Submit

    • \??\globalroot\systemroot\assembly\temp\@
      Filesize

      2KB

      MD5

      cf990710175748b175c4af0601722c99

      SHA1

      8c9927f75c3dea64efa84acc5f63aac4ab1c4a26

      SHA256

      0192809476a2aef954fb75b28ebef2419555a0e13838ca3c2fe86967b462f844

      SHA512

      f55dc54a9d7444592a7afaba33f5770bbd3ffe9b9e3703969e6e99c7f0abeca2ddb008424af44acfe0e5ef7a9c88b9c72c0b318ee5bcda86d6a6b90c7477840a

      Download Submit

    • memory/336-19-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/336-31-0x0000000000EB0000-0x0000000000EC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/336-22-0x0000000000EB0000-0x0000000000EC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/336-21-0x0000000000EB0000-0x0000000000EC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/868-43-0x0000000000C70000-0x0000000000C7B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-42-0x0000000000C60000-0x0000000000C6B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-45-0x0000000000C70000-0x0000000000C7B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-33-0x0000000000C50000-0x0000000000C58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/868-34-0x0000000000C60000-0x0000000000C6B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-38-0x0000000000C60000-0x0000000000C6B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1264-6-0x00000000025A0000-0x00000000025A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1264-14-0x00000000025A0000-0x00000000025A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1264-5-0x0000000002590000-0x0000000002592000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1264-10-0x00000000025A0000-0x00000000025A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2944-4-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2944-2-0x0000000000430000-0x0000000000434000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2944-0-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2944-30-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2944-26-0x0000000000430000-0x0000000000434000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2944-25-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2944-3-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2944-1-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download