Overview

overview

10

Static

static

3

eef5afdf80...18.exe

windows7-x64

10

eef5afdf80...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 03:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eef5afdf802c4266bc6c9e11253122cd_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    eef5afdf802c4266bc6c9e11253122cd

  • SHA1

    9ac0696e41af62f9c8d60b95ebb578171a331c03

  • SHA256

    7545205195d39a01a2696ec0c3bd63599c28e0de50c5368d676f21535e70addb

  • SHA512

    acfefb2e3251ed73866d45ec3ff068559e0a0981abb99900af28ad89ad263b33467e95b04933376f1997bd7056737cbffe0f18f79b6ec81ff2dc2db9ad27a9c4

  • SSDEEP

    384:qqPKe+NmiOtoCOQFuZqhYE1Ff4zHQOtiv3Ga:qTHmiOtDOQD7Dfm3tivd

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eef5afdf802c4266bc6c9e11253122cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eef5afdf802c4266bc6c9e11253122cd_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\F4D.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F4D.tmp.bat
    Filesize

    207B

    MD5

    dd84d701a9f7f709bb82500109c9119e

    SHA1

    f2edf91e3d09806292049d196f06e1d7eca028e3

    SHA256

    0ccb837020be7d4e47a573e22bb0bd49582a7130f11efbb4b4e14d8259461a9b

    SHA512

    07d83fd60412091f63b348ecc3d09788bd67e19d5fd7d0961b560c337375a952b05cc4fbedc8ed30f5e3dc57acb8756aee4e20854badf26a3271418fc84e41a5

    Download Submit

  • C:\Windows\SysWOW64\wlxzywbv.nls
    Filesize

    428B

    MD5

    ec4b97327b1530fe6493568039318323

    SHA1

    523d3b4da6276d57e2c31d0e7a878fdcc4405a8e

    SHA256

    669af1ee6f04e3897689a45e4b4254a9418b3b0db9ae2f669b78366f80042840

    SHA512

    771b1a10d7b62c19df4f2dc0a2b81ca23fc3af7b712bee0556c6eeffef5e8a36d2c1b7e7da86d9c523c444263b7edcd5576640b16abbe5fcf1e45decadbc9693

    Download Submit

  • C:\Windows\SysWOW64\wlxzywbv.tmp
    Filesize

    2.5MB

    MD5

    d19cc89fedfce7566374bbd463b5aa98

    SHA1

    d80abf858608d9f82a26169d789494528efccf43

    SHA256

    59cce95a3d702a37e888832e79655ff22393365eeefb3999f1a31cda12bb7adb

    SHA512

    07d7c27acdf040872ce171b8910a5a9a319c092d5be2f99d2c9a71a447dfa7c657079b76d626097854c9208a8ea0bccc957418191a32d3b92a93740813162613

    Download Submit

  • memory/2480-17-0x0000000010000000-0x000000001006C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2480-22-0x0000000010000000-0x000000001006C000-memory.dmp

    Filesize

    432KB

    Download