Overview

overview

10

Static

static

3

eda384b6c7...18.exe

windows7-x64

10

eda384b6c7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    eda384b6c7545da8e449b2778b94a289

  • SHA1

    5eac483bfaf25be3f8aa9fb0759b73a0261e596a

  • SHA256

    006ed3742142ad5653ccc38e5b7f1ed3b55bd230b712012a66c279de891a1270

  • SHA512

    aecc1e1da2ef952e01905ced7e4512486b1e77ef8a644dbf1d25004be82d9f35d836c906f14c334449ab3c164b7365bcbc1ba306af3823ad29f5c37387afeba8

  • SSDEEP

    1536:v5l0ccxBnLLOB+dGrNjjmJ2NuKuFr1M5Br2QbCcIPf:oxB3OB++jOKbSf

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\zioka.exe
      "C:\Users\Admin\zioka.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zioka.exe
    Filesize

    100KB

    MD5

    98129c4826a07f7a3258a4a629b06d98

    SHA1

    933fda6bf65ba05a2cc5974aa346d82524256377

    SHA256

    69ee4e1c7b926c40a2ce29627817d6c947fc883acde51683a6157bdbb76a3742

    SHA512

    fc54a9237862f0d8ed0ff98d91636cdd95eac3217dd44f918df172b582a3621b2dd87be6d28352913386fbad0c2e1b6d0ca8c3ea458e7e58c30262599ca120d4

    Download Submit

  • memory/2500-34-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2500-38-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4928-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4928-37-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download