Overview

overview

7

Static

static

3

d563e6efd8...18.exe

windows7-x64

7

d563e6efd8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 00:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d563e6efd89a55e47abe3ebe2cb5dc68_JaffaCakes118.exe

  • Size

    49KB

  • MD5

    d563e6efd89a55e47abe3ebe2cb5dc68

  • SHA1

    9fa8b8452882692d3498c8727369c422434f687e

  • SHA256

    4f1451a1cd63567ceca49118d5b0e9bbb11a28d16aa5b373d42fe861b924a776

  • SHA512

    3a2896d3271d3c33762d468922e4dd277059d2a1dcf95f930324e3d74a183d0b6e546280b245e9430491025ea4faf2e9a2d2d240787d2e12dc8f32459ab827c4

  • SSDEEP

    768:9FOvFOTl3IFOs8a1exNvilQghg3upkl160dTdcEnLKjQG111yfsP7:msh7smTvS3+6gnmMQcfsP7

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\d563e6efd89a55e47abe3ebe2cb5dc68_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d563e6efd89a55e47abe3ebe2cb5dc68_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\WinRoot32.e
          C:\Windows\system32\WinRoot32.e
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\SysWOW64\WinRoot32.e
      Filesize

      29KB

      MD5

      30fa0863a0884df88f2ddaadfe2dda56

      SHA1

      233686f4f651ad0e1d2160c3e0a8986e6f3d2002

      SHA256

      fa3761d1c70b38e1bdc2d1cae2445536f7d04acfd3645fcbe1d2c322dc1a9547

      SHA512

      08bc09366533187c95ad5560457069ef7fba485082eae98687ed0806c71a542b269d1e1aac69840507003c216424574111336672ab3aac3a68797e2bd603bdbb

      Download Submit

    • memory/1188-17-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1188-20-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1620-12-0x0000000000260000-0x0000000000269000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1620-7-0x0000000000260000-0x0000000000269000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2212-14-0x0000000000400000-0x00000000004083A0-memory.dmp

      Filesize

      32KB

      Download

    • memory/2212-15-0x0000000010000000-0x0000000010012000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2212-30-0x0000000010000000-0x0000000010012000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2212-29-0x0000000000400000-0x00000000004083A0-memory.dmp

      Filesize

      32KB

      Download