Overview

overview

7

Static

static

3

d349f183d1...18.exe

windows7-x64

7

d349f183d1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 02:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d349f183d12c06cc2ce5e50997f0168b_JaffaCakes118.exe

  • Size

    543KB

  • MD5

    d349f183d12c06cc2ce5e50997f0168b

  • SHA1

    40c1fd9e82b4b77ba5f89990932d4bd69c27da98

  • SHA256

    783d3d6f239947ea26bec0c9dca952daa9f4357af225fc70af93528cf9a92bc8

  • SHA512

    b707c6435d0d55c81bf54f319386740b17caa7cc40e7b923b66ee15beb1c4c42c44d9b5bbffbe902ce03b2673cd259397fadaad04a3c091f3ee3d073be669917

  • SSDEEP

    12288:lr6MUh7WB+TLpFNOC31wtWvj3Mz1it4NyghvRaE5:lrrUkEDNOC31aWDMBiChvRa0

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d349f183d12c06cc2ce5e50997f0168b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d349f183d12c06cc2ce5e50997f0168b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\RegSrvc.exe
      "C:\Windows\system32\RegSrvc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1332
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c .\delme.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\delme.bat
          Filesize

          158B

          MD5

          b220f8b0cf4507e80284f767da8aa7d2

          SHA1

          5b96e210f510bb8c7f600bf16f52d9b338180528

          SHA256

          870ab00a663fb500ec9a7f0828bbd61652efa3ab8376f5a5f95e46c8e110f2cb

          SHA512

          5c75906e91ae59e8d933daca32bd17eb85611b14f2116ee360807482820b7340ce04ce137b4e6b1eb65253f86a07710d6804fb3d27790eed4f62958dab44e490

          Download Submit

        • C:\Windows\SysWOW64\RegSrvc.exe
          Filesize

          422KB

          MD5

          de46905e42e5796acb68b56519017130

          SHA1

          96b0f5e0e59f5fab118bab2918c1d00872c15eab

          SHA256

          d6beaa9b60866c0b6d15cb62839061abd1527b2a57f5d2ba99af8a296a5fdd3c

          SHA512

          ab0d046c3272442e86b51c62472a1a753ad23bc5e41a9b37e128f987eefb845e403bc4a476844ffd5c3819ee03dfe78eda583dcd750f817526026a29884e7b8b

          Download Submit

        • memory/1332-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1332-19-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/2124-16-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download