Overview

overview

10

Static

static

3

eddb4eb195...18.exe

windows7-x64

10

eddb4eb195...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eddb4eb195024878bf4d1833d282f6bd_JaffaCakes118.exe

  • Size

    248KB

  • MD5

    eddb4eb195024878bf4d1833d282f6bd

  • SHA1

    cefe34a0fd052712083940b3c513bc5a8eaef5cb

  • SHA256

    1ec1ef07bb9711b7d54827182e09f938a236f43d871e4885bd1ec7521662a6c5

  • SHA512

    181d78a34b19a7fee09446748102890399754d7b58e188c13c375d8e5f3e083c7d7280d5623ddcc29acfc0b0a2e04984fa078ae0a3ee4b106ee17cda3ff76f0d

  • SSDEEP

    1536:2rIP+ObSj0IaxamasaXaq4noBU66yVZxrkEhj7:+I210O7

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eddb4eb195024878bf4d1833d282f6bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eddb4eb195024878bf4d1833d282f6bd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\buoufo.exe
      "C:\Users\Admin\buoufo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\buoufo.exe
    Filesize

    248KB

    MD5

    071f8c279a9f27ac2c7c6617121148ab

    SHA1

    13e71552997ad4bdae87ccc894c8f2ef20198352

    SHA256

    d42283dc021605af67f2d402ca9b070eee2e56ff45fe690bdc3fbd852bdb195e

    SHA512

    cd203ee3a4e6f302130343a9b9e945513c87e5f204adc615ac01fe27164b48510c22b893445db7acf21a9ff913ca106de20e340a299dc389acf7357b3bb95e19

    Download Submit