Overview

overview

7

Static

static

3

dea7175c95...18.exe

windows7-x64

7

dea7175c95...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 18:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dea7175c95b0499e1bf1346ac742b064_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    dea7175c95b0499e1bf1346ac742b064

  • SHA1

    0d1900212b4fdc0f757d48074bd7a59d352b602b

  • SHA256

    879d26445f5f2824577a9896c3eb69bace88399b646f7c2a4979888fc9e618d4

  • SHA512

    ad99f32abc4602f156675d18c3510e5ece06a693c5fb4af7511fea181dbd4cbe256494407510e1bad1814ea4379b28415d1ff5d70c06d09e1cd81b817539e15d

  • SSDEEP

    768:MmH1KwVE8BGacEvnb7vRHwEEEEEwERGq+kZoQ+vKdliXSVAFD/mjmH1KwLDXY+5J:l2KdlIBFZbXYQIt7

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1028

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\vlihzouhgnfe.dll
          Filesize

          12KB

          MD5

          55c8d64789d37de12c6cffe6c1320f78

          SHA1

          c9fd6d379a430a123a2271cefb30e496f4191cf5

          SHA256

          d6079be2f73e086b556d43cd404945bc2663fe285b3cef94b552b0295b7ccf0a

          SHA512

          21fa2d724bd0ebf89a82f5bbe0f221143066dd0af93f645be24743eebd221bcc1b726f37a32752c3cbc8e75ffe3fc4dc51020d199d35b72bd9df356d3aaab2c4

          Download Submit

        • memory/1568-3-0x0000000025000000-0x000000002501C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1568-7-0x0000000025000000-0x000000002501C000-memory.dmp

          Filesize

          112KB

          Download