Overview

overview

10

Static

static

3

edf3ba994f...18.exe

windows7-x64

10

edf3ba994f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edf3ba994f97430c98579ba8d84d6de6_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    edf3ba994f97430c98579ba8d84d6de6

  • SHA1

    ece97f49f75d25c8f561b949aecf4e62bc0b9e1b

  • SHA256

    8dda499584399fb05ae017dcf093d7aa327039f10fb69fa3d54253b7b888209a

  • SHA512

    8016c9be5ecb3f361e2bea11d95c2fb17b715ba52aaa05a5aeab5d00e41b7964923f2d0a3435ca0ad06f05d2498958539307e86e4736df8c3be59b0938d4d9c1

  • SSDEEP

    384:FIAoI4N/TA6kjOVvZzbWuGFbyaW6bZwcsj51Y8fJWI6S:FBo5JTA9jOVxPOhsI8Fr

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edf3ba994f97430c98579ba8d84d6de6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edf3ba994f97430c98579ba8d84d6de6_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\6A5.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6A5.tmp.bat
    Filesize

    207B

    MD5

    30c6411cf2e3042953ee161a32fe1ad8

    SHA1

    e69fc72cfdd7b28ca12614dbbe4e788a91d76f24

    SHA256

    3bf9fc2309dc01acc1c19603f215f474f1ea959dc1d2d207977afe420ab77c50

    SHA512

    e9de8788a2b6f0da3cbefa9f96243d7dbe2fb73e7693945a5cd254cb16d6a457d516973a7ba9e25d60edae0f2efe1db3c0fd59b59f0175b8592eb2cfc112a620

    Download Submit

  • C:\Windows\SysWOW64\rxlsifdv.nls
    Filesize

    428B

    MD5

    4ebaf0888aaf49df5ca7adf16b18ebeb

    SHA1

    b28ba490dc67a1e2e1644fa3eec228695b0d4137

    SHA256

    4d6f218236666ac36ac68c7e4f565a4e49d6ffc24812b53db8863297d2e273f6

    SHA512

    65574bd0484d6b3fff0cc5accd5b3108fbf32b245d69e755867d6bffb6a8314db68aa3d2efafaa489c8285ab43b7dc32328d3425016c15b6d58b2a3c939ed344

    Download Submit

  • C:\Windows\SysWOW64\rxlsifdv.tmp
    Filesize

    2.3MB

    MD5

    9ce695e4fe983046fbbc842832aafcbb

    SHA1

    51b7477b51eac63f8241982cf606a3ea689022ba

    SHA256

    14b671754cad50af809a9a60f03ebe66bbb176ca71a7268fa7ac3b4f9f4d5f3c

    SHA512

    d5f7432f19e1427e9f6a322aed50126f096264ad565bfb65e55030d8fd2c959651c7ac8f2d264be672cc69d4f5619f4bcd0a7e0ef5e1ffb0da0adba1460b9bb2

    Download Submit

  • memory/904-16-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/904-25-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

    Download