Overview

overview

10

Static

static

3

dc18833a57...18.exe

windows7-x64

10

dc18833a57...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc18833a5782359021cc033ec28db8c8_JaffaCakes118.exe

  • Size

    865KB

  • MD5

    dc18833a5782359021cc033ec28db8c8

  • SHA1

    7b1f91181f1da4fa8af7dafb5a134c3f7d5e97d2

  • SHA256

    6304025b1257897362538a402ecb3fc47af94868332ff843d5f2075a9d58d81e

  • SHA512

    2ba43a08083e439fa2b1fa685e7655bab073d3f9a2f79f1d4ab2db306be63fbcb37c5e332f3ef1959c783ddbf36bad9ca98879472fd929c4de5f1e4d17ce98d4

  • SSDEEP

    24576:K/7//0x2mmx+i06g8oUsDElpm3dw1ClFrg2Dt59ab5D:gzBr06g8oj4lpmDH/59mD

Score
10/10
discovery

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc18833a5782359021cc033ec28db8c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc18833a5782359021cc033ec28db8c8_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3188
  • C:\Windows\system32\rUNdlL32.eXe
    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\rundll32.exe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
    Filesize

    558KB

    MD5

    2c7eca6d53a2c2e3f863f75523205168

    SHA1

    4c95f3afc24c4403d0657f5ed4f4e055193d223f

    SHA256

    a279b9a19acca64ff8529a519e89d15662c40b753e4163ad9fb24f5c43275b8f

    SHA512

    ccfc724e33234d711650984166eb3c4f9b2ce11398b437388f56fbbb9c0849c821f3946d8705d34288da35cc4c2dd0e5fd36dd67d8abc5287e17a3091869b8d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
    Filesize

    80KB

    MD5

    993b4986d4dec8eaebaceb3cf9df0cb4

    SHA1

    07ad151d9bace773e59f41a504fe7447654c1f34

    SHA256

    4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

    SHA512

    ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

    Download Submit