Overview

overview

7

Static

static

3

d001e3a4b0...18.exe

windows7-x64

7

d001e3a4b0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d001e3a4b021c7f2b9b623b2277597d6_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    d001e3a4b021c7f2b9b623b2277597d6

  • SHA1

    8b30c031ff658f08b3cc15120ab941b0014de302

  • SHA256

    3b4d75ada68e20f28d5e8f87ceb0d3f91161b9dd30c5779b457ca950d6f2aa2b

  • SHA512

    27a0ff8a395afd2011b7526127899ddd60023cef101865543deea77016a9eaedc3c5834641df20702210bcd59e294a8c5fea3172f810613850f4fd0599236ab7

  • SSDEEP

    3072:JJKvNR9cbdBKgLsZ0bu3eEwicSg0gVg7w32avurqZX1Ax+YajYUQ:ATcbAubocicSg0U3FvurqUmYU

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d001e3a4b021c7f2b9b623b2277597d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d001e3a4b021c7f2b9b623b2277597d6_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Program Files\sam.exe
      "C:\Program Files\sam.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\lsass.exe
        "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
        3⤵
        • Executes dropped EXE
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\sam.exe
    Filesize

    39KB

    MD5

    a1c46947446effac0f11648200eb0945

    SHA1

    1888afdd1cf084ab7e011948d512b848ae5a6e17

    SHA256

    39b4d79f61d80e41f4b88a4e9d0a993b702c9959c39d8e4ecc5d3d7a184f5075

    SHA512

    951f6a46871d07380322ce570f3c2dcbe59a72b4318087b3cc895fc3dddfd7c0d409554a012aac7dbc4001d9d7de9a82f60f901e3af9b6ad29570d5018b7fc41

    Download Submit

  • memory/2324-0-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-1-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2324-2-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2324-3-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2324-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download