Overview

overview

8

Static

static

3

ead132aa94...18.exe

windows7-x64

8

ead132aa94...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ead132aa943e8b9a653c867befa40d70_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    ead132aa943e8b9a653c867befa40d70

  • SHA1

    8bc3a9e5988a99afde3c34d4c61eb900b3507360

  • SHA256

    9eb028c51007b1ecee20304dafae84fc0905c53cdc541f1e1a71062e3fa19c93

  • SHA512

    26a1b22ce12433874b8cfb248c2e7f1e7ecdffaf6b022e09ded95b1ed44dfaedaa8f2ab5984ddb514e5a076f88e02ebfa417fbef74ceef9a62807f6c9da4373b

  • SSDEEP

    192:xFcFch3+53tijuZUObXNDG8SgIDHN0gd0zYJtPyQryOlpD2689OeuFY:xFcFgOPijulbNi8xIDHP0UHlpD2GY

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ead132aa943e8b9a653c867befa40d70_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ead132aa943e8b9a653c867befa40d70_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Dx.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\SysWOW64\attrib.exe
        attrib +r +s +h c:\stormliv.exe
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2360
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Dx /t REG_SZ /d c:\stormliv.exe /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dx.bat
    Filesize

    336B

    MD5

    edd2d836c71d696a0883dc035f1c5af7

    SHA1

    7b91ed1692887358c5121b82ac6b93477c52a800

    SHA256

    a75b09d07a7b170f42cbecd52e6693de5cf077835a7330a2af45e27dba3887c5

    SHA512

    f19b870f16a4d472f2cf41649202923754393b1ad7e4f11b4d549d6ba5ab53aa9033b82d9f6addbcf37f64b565f71ccca147c86e50377274df0a29d647338466

    Download Submit

  • C:\stormliv.exe
    Filesize

    24KB

    MD5

    ead132aa943e8b9a653c867befa40d70

    SHA1

    8bc3a9e5988a99afde3c34d4c61eb900b3507360

    SHA256

    9eb028c51007b1ecee20304dafae84fc0905c53cdc541f1e1a71062e3fa19c93

    SHA512

    26a1b22ce12433874b8cfb248c2e7f1e7ecdffaf6b022e09ded95b1ed44dfaedaa8f2ab5984ddb514e5a076f88e02ebfa417fbef74ceef9a62807f6c9da4373b

    Download Submit