Overview

overview

10

Static

static

3

ee28500129...18.exe

windows7-x64

10

ee28500129...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee28500129ca6f4097e11dc6c93e6c29_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    ee28500129ca6f4097e11dc6c93e6c29

  • SHA1

    dc803223709221a24221f539d3dbd19407e2ab73

  • SHA256

    187330f718eaaeb6da3cac42ae9e01355b072301f2f7b00140999190db5414be

  • SHA512

    004ddce69720c71d6d99fd549b2fc6341f44d929f94eb7df60fd8f64b657b13482b63a2762e19eb333ce6dbf20f5301dff6bcedd352e651ecb6fcc9286dc73f6

  • SSDEEP

    3072:KoBPNVT25wUV/U1CWTxN13tA/l+w+xFeABa06/JhkEwvnRud/HhJf32cAqOnCDd9:8yUV/0CkWdKWHmrU

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee28500129ca6f4097e11dc6c93e6c29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee28500129ca6f4097e11dc6c93e6c29_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      f6d1b922377e16cb5dc7588850a3ecc6

      SHA1

      54e2791adc47aee49955089ef41ba834159b22b6

      SHA256

      ab8a3283aeeb82f584002cc8c06e07b98fce0c56ff102c6806b332b1696d7001

      SHA512

      9b1ef68d006787964c97b655c66cf85847482f98d31657d709c1360a47bc516e1e2fd5b07945a111a708bea9793104fdfdb25600f16d2f92a4b7b490d9f0cdfa

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      1501218fc83f400f547427fd7d50893d

      SHA1

      cc1a25d842830ae448a10706876bcf9e2374a745

      SHA256

      6d51203f6e8fd6f031737b8b8e8850dda486de47dbfec2278d0036567908fba2

      SHA512

      03ebb05403f9050027abcb235bb5c53d268236b69c667cb1a9fdfb97aaa2c608daf8a019622fca59d35bfb1d215e13f6ab300252a4c00d02767238287f693998

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      151KB

      MD5

      c444b2301485fa5a31f776ed1bb3af6b

      SHA1

      0616baa28d4d4543ce9c926dd2d0b009f4b30d8e

      SHA256

      8751cff8335acca94be612f7025bf9484bcd3f84ce2ac08023f217ae539d8548

      SHA512

      fe92203598da1b8b229dfabf64ace78c89a7a0e976d63c3fa5a31e5bb26143a7f7cc82c8e7de7fd28e6a4f5e4948c6af36f806a7b90a039534e99803dded3371

      Download Submit

    • memory/2056-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2056-30-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2244-27-0x000000002F091000-0x000000002F092000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2244-32-0x000000007128D000-0x0000000071298000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2244-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2244-38-0x000000007128D000-0x0000000071298000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2244-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download