Overview

overview

10

Static

static

3

de707053d5...18.exe

windows7-x64

10

de707053d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de707053d58babaf5eb9c7115154612d_JaffaCakes118.exe

  • Size

    244KB

  • MD5

    de707053d58babaf5eb9c7115154612d

  • SHA1

    3c020980e48994ed859c0dc5084d7b6979ff64c1

  • SHA256

    2deb6f6e116c990886cd374790714ac8300d9c48c7ca8ddca3c965b7799d4216

  • SHA512

    a3b5a6f209df562297c91799716371b202e1c2915f2a947338439bc2cc80a301e483db44824f06ffd24d27c068ae8c8d3093458f7fee100cfa93ac1039930635

  • SSDEEP

    768:1lvMaHfJcwaMCJUwbjMPkG1VuW/wqvRXMXp677yCzdXZRT2Nq1MaQnepMri14PGe:1Rl/JcsKJlGVs4emEFbcP0

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 49 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de707053d58babaf5eb9c7115154612d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de707053d58babaf5eb9c7115154612d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\kaamiy.exe
      "C:\Users\Admin\kaamiy.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kaamiy.exe
    Filesize

    244KB

    MD5

    eec1b9b2f7a2248bc96d2805be0e35f3

    SHA1

    731d92e6ca80037600c766fddceee9f4937ced6e

    SHA256

    ff138b76a4ae62ae859a906fae0fdf9d4a96609e132814020582fd65edc48fd9

    SHA512

    1ce97d38a1cb6710a1751759c80d1f8129e287dec5f2e276eb1fab2458d1422ea1c5acea1f138ab509bd8256aabdf450146c185f7c6760652647d95263034977

    Download Submit

  • memory/1660-0-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1660-14-0x00000000033E0000-0x000000000341F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1660-13-0x00000000033E0000-0x000000000341F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1660-20-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1660-21-0x00000000033E0000-0x000000000341F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1660-22-0x00000000033E0000-0x000000000341F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2480-16-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2480-23-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download