Overview

overview

7

Static

static

3

eab5f1835c...18.exe

windows7-x64

7

eab5f1835c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    eab5f1835ca428168ad81c9fb0599787

  • SHA1

    c49a843c76af33e531aef759d43461319cfb2f52

  • SHA256

    07781a866734d4d058734f1520164ad318b8ef2b1a20920382251eea7d09926e

  • SHA512

    1be6459879f7456db46c4b04e800e50d97380c9a2a1756f6b06b7dfeda09f3b5730159f2375674150c6b55738a97ab04ad2196179b7ff48ae5fd250dbebce414

  • SSDEEP

    6144:32HjogGMqUSErB32IpxsgFFE8rkKAlKqN87GxQMEwpfY6I0uoQf9TNAGgDxC6O5:GHGMqUDFpxn7ESq0Gxqw5hDQfVcNO5

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3884
  • C:\Windows\systrm
    C:\Windows\systrm
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of FindShellTrayWindow
    PID:3188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Delete.bat
    Filesize

    214B

    MD5

    1c5735c55574e11cef60e9126d7c2bcb

    SHA1

    fbe4a9323a422c35c3434ba08adb2a513d4b2a01

    SHA256

    a5959a8ad64f79e93f91a030c17a42e25af1e393adbb64b982610ad8b602399f

    SHA512

    b2680ab7d4fcc6623ff579065196e3a44e78257e5d9167ef62fd7fc3200b094173f2b4dde70f736e0823099c3cddcde2b533d17d457c6b8306e14f597f279766

    Download Submit

  • C:\Windows\systrm
    Filesize

    400KB

    MD5

    eab5f1835ca428168ad81c9fb0599787

    SHA1

    c49a843c76af33e531aef759d43461319cfb2f52

    SHA256

    07781a866734d4d058734f1520164ad318b8ef2b1a20920382251eea7d09926e

    SHA512

    1be6459879f7456db46c4b04e800e50d97380c9a2a1756f6b06b7dfeda09f3b5730159f2375674150c6b55738a97ab04ad2196179b7ff48ae5fd250dbebce414

    Download Submit

  • memory/1748-0-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

    Download

  • memory/1748-1-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1748-10-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

    Download

  • memory/3188-6-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-13-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-12-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

    Download