Overview

overview

10

Static

static

3

d3e5b7615e...18.exe

windows7-x64

10

d3e5b7615e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

  • Size

    245KB

  • MD5

    d3e5b7615e21411061c646ca6cad844c

  • SHA1

    467d9819a37dfe8bd7ec813332096134b634848e

  • SHA256

    4962e73c98eb6bba5ba9024a24f77c69cf73d53e067b70c252f37047b4fa8363

  • SHA512

    58ded0fac72c5812848af0c6e305389dba1cba1f465eae82797249dfb922ed3de5a61c78d0f43d4e56261e8dad4d25648c92b6ac6e8a54da75075cdf9781176b

  • SSDEEP

    6144:XgIeSFrCW39Eeix/XIGoPaiKe2lgg4EJjc9hk1O:XgIeMOWtELN+PnKem4EJjc9hoO

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2052
    • C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Documents and Settings\tazebama.dl_
          "C:\Documents and Settings\tazebama.dl_"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 136
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:3048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 148
      2⤵
      • Program crash
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings\hook.dl_
    Filesize

    79KB

    MD5

    adc6a74f04047aa2f54076b807b497c8

    SHA1

    d93c761dc4f088a680a45b48fe7735dc0dd23145

    SHA256

    afbf9bc53f9315cc949791e5ee1a3d9912d50ff4ce0aca347e43803eca24ecd7

    SHA512

    4b99d359acf7d2d0266b38f95299c784ab5209f23caad2bff6b74fbfa0ba0fa05528e511f0f182860e22c10b03bbf92ec03a1e811364926f70979bfc3a8ca171

    Download Submit

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    152KB

    MD5

    aaec133300fcbe94ea3fee9faebc4d17

    SHA1

    d4a8dc1c8a8bcf58afb22f31e32bcfa788f728cb

    SHA256

    8db72faf8748a6c9766e9e2884a147f34ad14e61d8515c0ffd8dda75f4e03b75

    SHA512

    bf58840f17c13d23b7d6734cebc15706024e9d806781f3af1a665168e4abb988d7c1dc2adb2c5ac84673fc1b61ac309ae8c542bf0512286d4b683b586d53bd16

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\RCXD8E3.tmp
    Filesize

    69KB

    MD5

    8ba404e90194c38541e324657e72f74c

    SHA1

    ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

    SHA256

    8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

    SHA512

    1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\S-1-5-21-1488793075-819845221-1497111674-1000 .exe
    Filesize

    151KB

    MD5

    91a8bce779c8408d10955bfb8950b496

    SHA1

    f0ea5f0452ef811eee609fb8d49f19080c87571b

    SHA256

    92b20a051d9e95de7c2aaf1a5d78cdd914c8d1ea5e73a124c6b267b8d313ea08

    SHA512

    f345ae6d5c43a3efc9a8218d8fdfac398c4d7ad4210bb0ce3e8a65a5722106e404dfaabf8024db9bc5c5e8ada78504d2eed40828beba2857dbc1a23dfbdaeacc

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\WinrRarSerialInstall.exe
    Filesize

    151KB

    MD5

    f529b0f248564d09e25e4b5e9512a1e6

    SHA1

    efa8a91c9d7a994cea1a80cd3a96dc02a16736c9

    SHA256

    c469346a0134de75110559132779768473662e46df00918737270f57234c5e8a

    SHA512

    b56409adf4e61add1293d20a815429fe36e3838ce17cae1fa34bb47a2565c582c3d50a9a6d18fad04b4e3b716bb03dec1e34ed8bfbba58f8cf2d2970b1ae3d58

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    151KB

    MD5

    3c6a1378d093ca1c414347a8cc415f68

    SHA1

    b89e93fc5e4f6d80289c3a7ac10fce755a90422f

    SHA256

    034d9a3fc2ee00c5e567e3700be794ec77e4a5d83e29c48adbc3969866c8eecf

    SHA512

    64cca142c339654eff92bdea57938d2933f8233efdd64ad0588a92d450318d04e82afb163214f451f4e8d049cec4ac15861d3b0e18081c8b65cee6a17ebc05df

    Download Submit

  • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    Filesize

    245KB

    MD5

    990ab83677953acf05804b9834d3e1c3

    SHA1

    b1b0e423a5dc62abf387f269d51addbaeb3a084f

    SHA256

    5f6109f6beade116134c74a3cc3c493c48384bcc44cd12758096a57b30665725

    SHA512

    ebb50dd2fdec6d8083a248905bb40124bb902cefe720ad2ad9fa4070b799265cdc4972763f834ec8e3162f5f4a7250d4bbda5373db93fbc38b27840b451316ca

    Download Submit

  • \Users\tazebama.dl_
    Filesize

    151KB

    MD5

    a902beadfaeceacefb2bdf6cff750df7

    SHA1

    7da443bd9a3dc51985a4fcd8d5cbdfc4d2ae0fed

    SHA256

    43a634019e72b71a89a9904431b538f90350cbc468c67379cfc13db8fa19c1a1

    SHA512

    8709de4645f093598b3db692ef26b1e4fe34ead26c27e6da92d326aba70f7d3e50386d4e0359e56e0e0f88ca65f7a2a02daf0a6384462e81e9d7880d0463e464

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/584-524-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/584-526-0x00000000002B0000-0x00000000002C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/584-1-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/584-24-0x00000000002B0000-0x00000000002C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/584-27-0x00000000002B0000-0x00000000002CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/584-26-0x0000000000402000-0x000000000040D000-memory.dmp

    Filesize

    44KB

    Download

  • memory/584-25-0x00000000002B0000-0x00000000002C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/584-6-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1208-608-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2052-525-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2052-29-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2632-19-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-60-0x0000000010000000-0x000000001000A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2632-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-154-0x00000000003D0000-0x00000000003EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2632-13-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-15-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-17-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-21-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-30-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3052-170-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download