Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-09-2024 15:26
General
-
Target
e0791e5c862d20a856dc667c9073e5ae_JaffaCakes118.exe
-
Size
212KB
-
MD5
e0791e5c862d20a856dc667c9073e5ae
-
SHA1
e3b0f05b55f4b74ad3cf5f916e32706aded1a095
-
SHA256
433f21cfcb30a5c2af0f8486946c54d5cdb2542abb875a8eec44ea7d9815d083
-
SHA512
c6e0b5954363282f5099e0c1d599b605d7a9afbfa307f8692815bd5cbb076050972ce900ca4fee31c5f6d1e4500d38f2849f33ca79cb7b6155c17a4e294345eb
-
SSDEEP
6144:59YZwR57sJprYFMIscTkgBtPV9BPG9j0xWNkeXejJNp/DXUqf:YZs7sJprYFMyogBtPVjPaj0xWNkQmJNr
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0791e5c862d20a856dc667c9073e5ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0791e5c862d20a856dc667c9073e5ae_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /f3⤵
- Impair Defenses: Safe Mode Boot
- System Location Discovery: System Language Discovery
-
-