Overview

overview

10

Static

static

3

ea84b6af5f...18.exe

windows7-x64

10

ea84b6af5f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea84b6af5f6a48b6b74145b997c2606f_JaffaCakes118.exe

  • Size

    128KB

  • MD5

    ea84b6af5f6a48b6b74145b997c2606f

  • SHA1

    177e83fae128670a95d3e5a2a4d823babbc02611

  • SHA256

    2b2f4366d2589b9d413220829d2e2609e2589c1ea91bc50148a9bcce7278f552

  • SHA512

    71c6175af90f90ddec05f4e189bdc0a80a3ce017257b2b1be9043ce7ef5aaa394faea967b7db5c928ea7c718a441c2a59734da7bd8ad18198d590dedcfe39811

  • SSDEEP

    3072:GawcyIgI3y4CpCfCGCCOCwC9CvCFCfCLCvCUCLC2FInROUSRSGSuSQSmSNS4SQSJ:QcYI3yGFInRO

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea84b6af5f6a48b6b74145b997c2606f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea84b6af5f6a48b6b74145b997c2606f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\koejaav.exe
      "C:\Users\Admin\koejaav.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\koejaav.exe
    Filesize

    128KB

    MD5

    4284627783389c841c20521a473ea9c5

    SHA1

    514b9f8f3fcd65f2ce53613663c7377e50fe6500

    SHA256

    deb0a3409d31f3a488983c7128c4ad6fc21dabb9836bb71df494ac1c36c8ccf7

    SHA512

    39718b42df0aea702e61788390dd09f604a746cf88be878ceb193df31ec6c32dd473685355bac8c9370b06f517402b7be9dc006a0b01edbca818a06475f1bdcb

    Download Submit

  • memory/540-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2092-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2092-9-0x00000000031C0000-0x00000000031E9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2092-18-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download