Overview

overview

10

Static

static

3

eac3188db1...18.exe

windows7-x64

10

eac3188db1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eac3188db1de49c9b748084279796284_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    eac3188db1de49c9b748084279796284

  • SHA1

    f694b0f87c5e6dc435678f14ca1ba50da93f2928

  • SHA256

    06bd318cc01755391848668d46140261703fe965699f34dd48fcb85049dd8183

  • SHA512

    df36a6f81fa8bb4a8e522ab64b1fc6f606e6d6b357ff089917d06ced7650a60c46c3af43a62b35990e0f928f28ba78c2ef78a9379e717a16f3e9496bfda1491b

  • SSDEEP

    384:tczoYdP1jtpypbtB0celpCWDaiBy49vwpPpQ6L0WIc9Qe:OMI1jtMZcl4WDFyqwxS6L79

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac3188db1de49c9b748084279796284_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac3188db1de49c9b748084279796284_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\F9E1.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F9E1.tmp.bat
    Filesize

    207B

    MD5

    ca815fdae03d31dfaf7b36b4d619c92e

    SHA1

    2a1a78d5feae5b28598878fae1aef67d987d233b

    SHA256

    1bdfd4ac43384a0e45e87f70680b5d14a8d7b01d362ea40ab98b4ceeaf4e8410

    SHA512

    f676d0eb70a805eec4eba1602252f0cd2cd0353facbf14abe37d70ad190ff3cf11e05b8faf505176d72267851638782b5a6c2e1b7332f0d41ac3c8319ea7d918

    Download Submit

  • C:\Windows\SysWOW64\cslkodje.nls
    Filesize

    428B

    MD5

    e59c68d7ddcda526765a879e63228e1e

    SHA1

    6d26b4ef1f31858e7f1332bb20c2c49d0472ede6

    SHA256

    135b283bdb69aed077557005e816d8b8eeaece4323f4093a76f4eb2d55be1b94

    SHA512

    4ddcbd27da1d5778f1558efc834fd7cc8a1aec7257c40ca3f0c2092a65563906ff85078ed9d7c68c5386d18e6f273ea0345a7e55cac8fcf447684d5b8e43d7b1

    Download Submit

  • C:\Windows\SysWOW64\cslkodje.tmp
    Filesize

    2.1MB

    MD5

    853471f4e392dd51b98c6d7d57ce0672

    SHA1

    cc246cb314b1fb80e06afd27d37faa27afe1f7f7

    SHA256

    c1ab79c28f47bbb30c5a55b421b241d0acbcb5edaa7993d6f7f0d6fbd7019b9c

    SHA512

    8210730cc52282634fd356163c3d2cb30acbb090a5974f68e6e212c6578ceaf98ff023a65a92e6c1ceaab5e217a5235c23ab3ba593c969f711c36db4ea0d54b5

    Download Submit

  • memory/1780-17-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1780-22-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download