Overview

overview

10

Static

static

3

eb826a2f5c...18.exe

windows7-x64

10

eb826a2f5c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb826a2f5c090c4672cd33f7e7f097a0_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    eb826a2f5c090c4672cd33f7e7f097a0

  • SHA1

    18b4b32b6bdf8646c1bea8c242af2a32acc381f8

  • SHA256

    1d58154dd4a4cd4467335e52d17bb9b67a95121ea3ba631d8fa36a4cd0685cb4

  • SHA512

    031d76a1d9a5efe2c044b929be29c5dba5a860232deacf5fa36f61654e5d0551bd139e7cd186e9fe9be4df5b927d3d20e9cbf3c5fdc27998b316d62c71e599a5

  • SSDEEP

    384:0/rwIZedbLkPO+dsRz+QzwnSguBBQARQk3ygMkk6QymJi6QVvlM:QsI2L6O+mDBBQARQk3rjmW

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb826a2f5c090c4672cd33f7e7f097a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb826a2f5c090c4672cd33f7e7f097a0_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Windows\Fonts\treqabao.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EB826A~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Fonts\treqabao.dll
    Filesize

    32KB

    MD5

    dcf1210a6e291f74395cb2827684eaa9

    SHA1

    ed876d101a5a4e04fa09edb7c904a8efb8566605

    SHA256

    4bb1cc64ca230faa2fb6bab078541f1af38ab64d77b4121c08459005bb23ccd5

    SHA512

    4d08db267958c7c97c6d8c142276db287cdeb5606bf2fc2b0b918c88d20a8ac219ce2053afe9fbd2c33f8e7d83eed684ad2cd41af9a9ffd0d6e697d21ae65d19

    Download Submit

  • memory/1848-7-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1848-11-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2128-6-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download