Overview

overview

10

Static

static

3

d42a883daf...18.exe

windows7-x64

7

d42a883daf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 10:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d42a883daf41c76e92d3cc68779dfda5_JaffaCakes118.exe

  • Size

    410KB

  • MD5

    d42a883daf41c76e92d3cc68779dfda5

  • SHA1

    d326b3d9515e23e26f5c9432b27eb64e08a1184c

  • SHA256

    f41661bbdf9c591942b0e470938cf56b9787099be0df57286ee983d56b0135d4

  • SHA512

    69013b0a11a79c22e1b8655e347170239f6f7f01c5edc5c4af5405f513d8d3f0e0642ea18076303d7f8091253b1fb5859d3a26e1dc3d9515e5f5f5867030bb33

  • SSDEEP

    12288:F2yy6toS493ACIl7vI1kiqHNnyVek/a4QmHNX467p0suc:F2yZoIjIbgyLC495467gc

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d42a883daf41c76e92d3cc68779dfda5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d42a883daf41c76e92d3cc68779dfda5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\RoamingFirewall.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1420
    • C:\Users\Admin\AppData\Local\Temp\d42a883daf41c76e92d3cc68779dfda5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d42a883daf41c76e92d3cc68779dfda5_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Roaming\msconfig.exe
        "C:\Users\Admin\AppData\Roaming\msconfig.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\RoamingFirewall.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2088
        • C:\Users\Admin\AppData\Roaming\msconfig.exe
          C:\Users\Admin\AppData\Roaming\msconfig.exe
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          PID:4976

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\RoamingFirewall.bat
          Filesize

          16B

          MD5

          ad8f534ea726ddec58a390dee334362f

          SHA1

          847339c3a250e6910602a8570156ac4559ef90c0

          SHA256

          8a469c68715e6cda6c891a6c372b1560e17b9f8756e97f321a9d966986f960da

          SHA512

          6eca7a37fedbd0c6ccc5e0ccec9e48641cd7d4bd6d2a1979dc0fb8b6950c264db48291f68b8cc50c987b98f551304e114c1ca916b1f88144e8fa6d50cf939a92

          Download Submit

        • C:\Users\Admin\AppData\Roaming\msconfig.exe
          Filesize

          410KB

          MD5

          d42a883daf41c76e92d3cc68779dfda5

          SHA1

          d326b3d9515e23e26f5c9432b27eb64e08a1184c

          SHA256

          f41661bbdf9c591942b0e470938cf56b9787099be0df57286ee983d56b0135d4

          SHA512

          69013b0a11a79c22e1b8655e347170239f6f7f01c5edc5c4af5405f513d8d3f0e0642ea18076303d7f8091253b1fb5859d3a26e1dc3d9515e5f5f5867030bb33

          Download Submit

        • memory/3504-0-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3504-4-0x0000000000401000-0x000000000040B000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3504-1-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3504-12-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3504-14-0x0000000000401000-0x000000000040B000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4028-8-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4028-10-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4028-13-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4872-36-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4872-20-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4872-26-0x0000000000400000-0x00000000005F6000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4976-47-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-48-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-37-0x0000000000690000-0x000000000069B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-42-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-43-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-44-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-45-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-46-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-34-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-33-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-49-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-50-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-51-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-52-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-53-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-54-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-55-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4976-56-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download