Overview

overview

7

Static

static

3

ead8a04c6f...18.exe

windows7-x64

7

ead8a04c6f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ead8a04c6fa9d84fbe429549d896cebf_JaffaCakes118.exe

  • Size

    72KB

  • MD5

    ead8a04c6fa9d84fbe429549d896cebf

  • SHA1

    7ef799039c69b06260450b61afb85c2b6fac3875

  • SHA256

    83f31fefe0d543f07677461f111b295cf993df1cb6035449683817369f4f8035

  • SHA512

    cdaf865b8579e0e07732627a4ab2402ae38ca2e6e2a233ac338ca6e08e96953f4755936ca6fa226879a27a9be76f1037dd53829fb7b13b81d57c5f51ff84a866

  • SSDEEP

    768:N92kt3Yyz3y1Rf1s1No3jW/XHe5PjjaIwhEkhoILv+CqwCqbcsa6s:Dl3YyzCnioT8XHQPqukhEwC6c0s

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ead8a04c6fa9d84fbe429549d896cebf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ead8a04c6fa9d84fbe429549d896cebf_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C xcopy %windir%\*.tmp2 %windir%\*.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy C:\Windows\*.tmp2 C:\Windows\*.exe
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C REG ADD HKLM\software\microsoft\windows\currentversion\run /v asd /d %windir%\asd.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\software\microsoft\windows\currentversion\run /v asd /d C:\Windows\asd.exe /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2968
    • C:\Windows\asd.exe
      C:\Windows\asd.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\asd.tmp2
    Filesize

    36KB

    MD5

    1bffc864682f4d45255835a91465b915

    SHA1

    d9eb4c84cfba7acc2197215b46dabc6671338d14

    SHA256

    bd752a57d757dfb398b065ce2e2953f4a202a2cd826f3cf898e34dd80adec4a1

    SHA512

    476fa61e44d4f313a790b2d518d177ff5f3cc3a32f100c1ec8a5ce9f7316e7cdb46e7b4017aa35904a9d22a6168404d500b1dfe1cb6e4c09e56eecfe55414ca8

    Download Submit

  • C:\Windows\trojan.ini
    Filesize

    105B

    MD5

    3ce9339fdb6a6a27ecbc859165492b4a

    SHA1

    cd19857bc3a28f643c2fb469daaf7cb9f63730a0

    SHA256

    3473097f3b48f2ba70109c325cd8149ad56011b12025aad15cd904d08266c1e8

    SHA512

    1bc6069859d3871a869af18f6be1c53a467937c7ae4ccaa4ca6b1be1bb49c9cf09b73d4455235f9f97cf27e165b58c01171fd52369c0438e1c4e9276bd3c494e

    Download Submit