Overview

overview

10

Static

static

3

eefdb31c99...18.exe

windows7-x64

10

eefdb31c99...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eefdb31c997e326f76cc23a1a39c12d2_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    eefdb31c997e326f76cc23a1a39c12d2

  • SHA1

    9919a241cd29fc8af20d793274c3ec1867dd3039

  • SHA256

    4d2aa1a180cf16f979ef8d4882337e23c581ff566f5856f698c2f1fab3fba83e

  • SHA512

    e513152860dc43225adca7cc56d0a11baa8aac605408410d77dc2c42d8dc5fbf29f1787e369e423c673d02d3ed8215793f23aa6ea9135271cfe9046b20549a3b

  • SSDEEP

    3072:xd8MWHPTtj2iRqpbhJEs11fzIAcC/Bu76hLrj:xd8MWHPTtj2iSn711rXq2P

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eefdb31c997e326f76cc23a1a39c12d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eefdb31c997e326f76cc23a1a39c12d2_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      640cdd43b4589bf166697c31014e49e3

      SHA1

      af347cd311aefa7aac70fba49c0c21b3ed269d96

      SHA256

      1dcef374752c1bb8ef030dfacf3d8d6790b039b3da2b84bf6bf797513a0d9894

      SHA512

      684c4a68e30471d30ea86ad173586be43991f6af27a33b9ae9511599a7b86ac2a71cc48f26c038c791891ebcdd1f113785e2f66074e97d287030f9708df51ed1

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      e62512ad79e33ce293423f7976424f3e

      SHA1

      acea7f476ba0423b302f16f892e0e58dbae1fd35

      SHA256

      73875234af652759818acd097c8f7cfc63dd66951de420cd7968e4f39366e149

      SHA512

      d8704cfae5c8daf5e1bffc53dcc59d2246a40e07b385566146236169fd0ed9a4790df7f3adc6dea40bab534ac3804f1e17dfbe5f41047c2921faa1d1a24fe10f

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      152KB

      MD5

      27a9c4ee2faafc02ec829e4dff9712cb

      SHA1

      4ebfd40ae557974624407401474aa6b92c9dbe0c

      SHA256

      ff19fe5d230014da1a9c78a758aa3b7f7e9b738926a607ef2329faed719d705d

      SHA512

      dfd104fd3d7edbce1ec3dfc697efd9545c54ca37b69bfc672cc8127036e636c68590dab58c0176687f6c60459882aec33e676d1ed08036023a1e3e91f639767e

      Download Submit

    • memory/2144-30-0x000000002F551000-0x000000002F552000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2144-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2144-32-0x000000007192D000-0x0000000071938000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2144-34-0x000000007192D000-0x0000000071938000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2144-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2232-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2232-29-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download