Overview

overview

10

Static

static

3

ea79863fe2...18.exe

windows7-x64

10

ea79863fe2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea79863fe238a42f4779cdf359ecd6c3_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    ea79863fe238a42f4779cdf359ecd6c3

  • SHA1

    0ee6065f0e2e8d94c10eb7ba8630d3c62d1d64cc

  • SHA256

    c88d1791cd93dafcf0738baaa30e9d4948a8426ddd8f8cce422c09ecc423cb43

  • SHA512

    922bf4aab631a7a50dcf893d49d4d36cf1a7909b04b619f741b38bd7651e226d8c4392121b412fc6fcc3c835542542d5031dbf3d757e1591946186e6bc052643

  • SSDEEP

    3072:Urdsw3ndb8KvAmRPveYlUq/kzPi0gEr+YsBYPAZ1KHiLwcIaZ144oQZiEMl9p:AXduEGaUq8iHEXsCJR8ZyWKR

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea79863fe238a42f4779cdf359ecd6c3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea79863fe238a42f4779cdf359ecd6c3_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\qieol.exe
      "C:\Users\Admin\qieol.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qieol.exe
    Filesize

    152KB

    MD5

    31079395dec4f20a6b7e9e15ded6bfca

    SHA1

    6fb4cdb13a37a9be6f9dd4edcbde47b5cfc9e08f

    SHA256

    fbbeb99e37e2133373664e6ffa8e52711a3fa52cf35846b3a7d27d55be0185f8

    SHA512

    3cf71ad7520d609a03d1f3f80599331bd1be798404b60d80c1f9c7e463aeb802cf34cf12a89f570e587ac73ad2dd2c80ff1a76544721597801f87c44bc019964

    Download Submit