Overview

overview

7

Static

static

3

dc19064861...18.exe

windows7-x64

7

dc19064861...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 07:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dc190648617de692d6a34f3fa069daae_JaffaCakes118.exe

  • Size

    301KB

  • MD5

    dc190648617de692d6a34f3fa069daae

  • SHA1

    c1f99e2d3935a8f298016a453f91e79cf6baec97

  • SHA256

    b01f834ee2ddc5323cf9af1a1fc5604e6987ec856ce362465ad40499d1f65fc6

  • SHA512

    cbf95455ca9ef5d165315417393c50b40d1f54d6e4e88eab02e46936f47211e1df2ff66fc942e767cb833ea247decedb560c148ece29c32179f9848cb6b1d04c

  • SSDEEP

    6144:XSYbXXKOiPs03UM9RZJUr+aDfod2Wm2gaTvYEmu8QAWHoS:iUXabPD3DZyrOd2qHTXKQAWHoS

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc190648617de692d6a34f3fa069daae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc190648617de692d6a34f3fa069daae_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\XBSAKB.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:988
  • C:\Program Files (x86)\R_Server\RemoteAbc.exe
    "C:\Program Files (x86)\R_Server\RemoteAbc.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of FindShellTrayWindow
    PID:2308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\R_Server\RemoteAbc.exe
          Filesize

          301KB

          MD5

          dc190648617de692d6a34f3fa069daae

          SHA1

          c1f99e2d3935a8f298016a453f91e79cf6baec97

          SHA256

          b01f834ee2ddc5323cf9af1a1fc5604e6987ec856ce362465ad40499d1f65fc6

          SHA512

          cbf95455ca9ef5d165315417393c50b40d1f54d6e4e88eab02e46936f47211e1df2ff66fc942e767cb833ea247decedb560c148ece29c32179f9848cb6b1d04c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\XBSAKB.bat
          Filesize

          218B

          MD5

          1004129c184bd1899545a8f84af125d6

          SHA1

          e30872e59716469bb1650ca1e151bc29cea91fc2

          SHA256

          d27c7db76a5dd0ead559b8791d21b5756a96228da19cec9d598e34b001765510

          SHA512

          bbfa4d60c54824346bcad4a722f650b2b5c05622792fbfec641a508c5e6631651139145b3c2f60824fbbe425b6d1d26d7cde10065205603340f24962fcb9b00a

          Download Submit

        • memory/2308-5-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2308-6-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2308-18-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2308-20-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2308-23-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2308-27-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2308-31-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2384-0-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download

        • memory/2384-1-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2384-15-0x0000000010000000-0x0000000010095000-memory.dmp

          Filesize

          596KB

          Download