Overview

overview

7

Static

static

3

ea751680dc...18.exe

windows7-x64

7

ea751680dc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea751680dc639aa0f5e6c7cd22e715d9_JaffaCakes118.exe

  • Size

    176KB

  • MD5

    ea751680dc639aa0f5e6c7cd22e715d9

  • SHA1

    2164fb5b36fdbda70d11fdb32e7573f19855c742

  • SHA256

    6390f5e3f4e9a269fd00c1b3236d4bc60eab167824f76e069a0d14b685ba0f55

  • SHA512

    684d1994146979829d2b418a1fddf1ffbb1caed6f246080d5a0f57c4a34224829091db4526e5a17272d0c775d5f55940b578a4e1f8ad1e95d6165cf846f51e67

  • SSDEEP

    1536:F8mXqN7nKIFO/Juf5n0lbStbuH7zhBah/Zi/bXbDpLD00AdmzcXPXBlJD3R+5:emXqN78kfQgbuHBBah/MDXTAdmzcfn50

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea751680dc639aa0f5e6c7cd22e715d9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea751680dc639aa0f5e6c7cd22e715d9_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\MSV\nvs2290.tmp.bat" "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:1944
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i \n1D.msi /quiet
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EA7516~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:832
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31543474BBA7294D499F057176B28E24
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
    Filesize

    768B

    MD5

    d20d9eda31a2d0300e4589df7f352370

    SHA1

    79b46d2dbb489914cfedafdbc90e62951471b48e

    SHA256

    d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

    SHA512

    d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    57B

    MD5

    71f40ae16296f24ab599aad4f081063f

    SHA1

    2f5a2df4d5cdd109cc0b8365fcafd68cbdb85eb8

    SHA256

    8bf45e453238fc2be9f860bc2d56eb6ffea9fe72ab6dae50ff26380617357b19

    SHA512

    ebb94a56138b5b95668d1ef9b21127b1cf45a19ffbc6ebc0f23bb31e78d2aa1f80150fb14e2f3f55282b050388bf1478b0f44bfa9bde752a417197c550b21b7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MSV\nvs2290.tmp.bat
    Filesize

    2KB

    MD5

    cc026bb8e7fc24bcac4b127fd0eab984

    SHA1

    f32b1c8d9bf80b56f2dbec1c27f72f05188e5ba4

    SHA256

    add1523a20de316094784a5ff5ef21bfff6cfcc1d7ba5c34a3b1bd77f9762f7f

    SHA512

    0bdf850bb49b0ffcce90aa0c3713b12204769bb79615ed52d8a6b7a0081874b3137108510e2e560d4c5106e3796205065182935007d28a8eee3ebdc33d1064e0

    Download Submit

  • memory/1944-43-0x00000000004C0000-0x00000000004C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2756-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-6-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-66-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download