Overview

overview

8

Static

static

3

f5808c47fb...18.exe

windows7-x64

8

f5808c47fb...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5808c47fb0cba23c0d41ec9ff37ee07_JaffaCakes118.exe

  • Size

    575KB

  • MD5

    f5808c47fb0cba23c0d41ec9ff37ee07

  • SHA1

    980759888d77c3637a7de4d57c9f87f59b8f654c

  • SHA256

    4d6e935ca3ede8ae7eeb30f18f489a93123605ee6ee2fe3869cc9d1751523e4e

  • SHA512

    7d72fbf24255b6c2b322756019a975bf3cd289c7c7514982610b37d46f3197e62ae842da50b799d2d150716dd4f5d9ad184de4f5732a8e69138155248394471a

  • SSDEEP

    12288:kEs/iRNp4QoFwxyR9XGbsnJNZErnXEJ69w0p8N:kEciRNp4QdyR9GxnXZ+v

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5808c47fb0cba23c0d41ec9ff37ee07_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5808c47fb0cba23c0d41ec9ff37ee07_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\ProgramData\cisvc.exe
      C:\ProgramData\cisvc.exe /a 1
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cisvc.exe
    Filesize

    575KB

    MD5

    f5808c47fb0cba23c0d41ec9ff37ee07

    SHA1

    980759888d77c3637a7de4d57c9f87f59b8f654c

    SHA256

    4d6e935ca3ede8ae7eeb30f18f489a93123605ee6ee2fe3869cc9d1751523e4e

    SHA512

    7d72fbf24255b6c2b322756019a975bf3cd289c7c7514982610b37d46f3197e62ae842da50b799d2d150716dd4f5d9ad184de4f5732a8e69138155248394471a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx
    Filesize

    10B

    MD5

    b69816e8615b63811c89a99f7d686dab

    SHA1

    844dbf038d142375cfd75bfa88bff3fc4e2079f4

    SHA256

    cd8e50077c7e4b26922c5b50f452ec804117d279db6110b697a9d6283c0e0427

    SHA512

    d03c2cb79fe8a44bab2bd190e40ad268e2817275693905bc5a6da829c1c5c2caf898f979a0d7885e295b65f88fec752e755551502236f7a4a8287d8170f1d593

    Download Submit

  • C:\Windows\System\RCX6B7B.tmp
    Filesize

    575KB

    MD5

    f35281969e62c4d775967434b14fa230

    SHA1

    69b520ac5e04a4aa5deb177e3836b6a352e8bf86

    SHA256

    834141038b08c3f827c073c6d8df84644b4de1511ed4c1827ff62599fcced381

    SHA512

    5a100ddef133bc4d35bb66898a825afe3321beb6a03286306e9e00e2db8e6b961a135c7172a5fb2b4e2e0d4330142e8fddd680ca887ecd606cc6668e8f470f28

    Download Submit