Overview

overview

8

Static

static

3

fe74e997a5...18.exe

windows7-x64

8

fe74e997a5...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe

  • Size

    291KB

  • MD5

    fe74e997a5467841f5b915450e9d89e4

  • SHA1

    e6b1433edb9906c504f0a1afdf7132a825743b22

  • SHA256

    73e4ce6e3b6c1e9f92ea8bc8f7d65ff4df1e2ba6d78fad549caf4d226b6e26eb

  • SHA512

    c5b372907fe939e6f00c53dee2c0cc5d6c444cc161541c6a10e12e5ee5a9143a9d3fbd3dff648d772f713eea9f38c4370d782ba8f0fa855a3a0eaf9b8a3ea396

  • SSDEEP

    6144:qseuhm7O/klr2tqahdbzI6cxVcw5BbE2CApcv2M1XjWLiiacHpdt:MuhmJao5PCACvrTOi9O

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\Users\Admin\AppData\Local\Temp\tempdir.exe
            C:\Users\Admin\AppData\Local\Temp\tempdir.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Users\Admin\AppData\Local\Temp\tempdir.exe
              C:\Users\Admin\AppData\Local\Temp\tempdir.exe -Nod32
              5⤵
              • Server Software Component: Terminal Services DLL
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3188
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Windows\system32\KMe.bat
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2660
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netservice
      1⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
      Filesize

      225KB

      MD5

      c9685a9486c27d37f64fa2521f276d43

      SHA1

      3e88a8ada69f5d3b20cec12d731b0b7ecc5c8458

      SHA256

      90a3b7a01912dfdaadaa3cc786fcc18b3837f7330dbb515c295a467db759fe44

      SHA512

      58adc5a80abcfbce73d86f0c9da73e4527a83a2854aa337b14d0c29538e14c2fab32883712664323eef175200e696880b170578d02d5fc625bd8cd7993c07b06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tempdir.exe
      Filesize

      465KB

      MD5

      5e4dda7df4df581270f84feb503c1997

      SHA1

      a625dc8fc1549f6e859bf3d19b2a112728c0b1eb

      SHA256

      916a97987f7171a554de264a8c1786c92d41246073fa8f1a432882466dc125fe

      SHA512

      c890e85ae76602ff23c3a078f3c00a331a8ee8a2c70a624731a34eba278e1b427c1e2e909a904fc278ba2040974be27a5faae36fed59c9e92b951f18280b0cbc

      Download Submit

    • C:\Windows\SysWOW64\KMe.bat
      Filesize

      61B

      MD5

      8f3848be53fc40fa7cfceea85e573d16

      SHA1

      f5e07757d091a4549c1b5163d2fa853a0199f55d

      SHA256

      165f6a63e2302b68389779848da0166e5412c53111722885719f616ef5e18b3b

      SHA512

      1ea3b4311bda4032fe5b3e4c1353c654a1d49dc0105f9af5cfee8dedf9ef1a3a1c005e71890bdc87e9ffcee31c4f787ba6f0968cdfc60aa0a7febbca93300577

      Download Submit

    • C:\Windows\SysWOW64\System64.dat
      Filesize

      162B

      MD5

      c9f55e03623a1ea7f9bcbf13d205e32b

      SHA1

      4e9d1f218e21035c4d36fe1b1cb9ca1620dfaabb

      SHA256

      df0e39eedb54ca9eadfd2254e8b263169bc65387be7243a1793afb794c7e0981

      SHA512

      9f5da8106b9ac6cebad0cb67864052a86c044ba3c631bfa742ca9133c1a2f6f79ac3b286b03865ee32ba1089452c9b7fa3e486d1d4390b3586d0e83a5ecd0424

      Download Submit

    • \??\c:\windows\SysWOW64\system64.dll
      Filesize

      357KB

      MD5

      a715478f4401f70db0b423b777e6bb1c

      SHA1

      6d1ce804cbe10f55147ea5207e9a7a4bf5090c7a

      SHA256

      af04167568ccd9c6700a5f825de9d1a02144cdef1ee651ab2d78c08dbc40a5bb

      SHA512

      0030f6ee04c39bed886d576061f7eb0f6ec60f2d7efd3066c48394b9990161e133d3248ec4ddaa5dcfb6c00de309c9d6e13029a4768acd620dba8cab962b4130

      Download Submit

    • memory/1892-26-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1892-7-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3188-22-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/3436-36-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-32-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-21-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-42-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-41-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-28-0x0000000001330000-0x0000000001331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3436-29-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-30-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-31-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-40-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-33-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-34-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-35-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-39-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-37-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3436-38-0x0000000000960000-0x00000000009BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4052-23-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/4424-0-0x0000000001000000-0x0000000001115000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4424-27-0x0000000001000000-0x0000000001115000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4424-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download