Overview

overview

8

Static

static

3

011c8311ca...18.exe

windows7-x64

8

011c8311ca...18.exe

windows10-2004-x64

8

$TEMP/51cdF_RQLr.dll

windows7-x64

7

$TEMP/51cdF_RQLr.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    011c8311cae1ccf9f9897109a95d2bc0_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    011c8311cae1ccf9f9897109a95d2bc0

  • SHA1

    0d5a196955911bb6481a589c52de1a6c335df95c

  • SHA256

    6a82bfbe2bd2123efa496afa735f0c76a872a3ca7e088adcefc4bb6ebf30dc97

  • SHA512

    56398cdfccc5866ce38039e72845cce456fceadf35ed2371b4e089fe31c918de3a2536675d721a7d83bb34570c965803fbdc17c4a0dd46e70e2f4fc72ce57c27

  • SSDEEP

    3072:IgXdZt9P6D3XJbC1fHK1tjsITcqbfH7TtEXM:Ie3441fHK1JxcEH7h

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\011c8311cae1ccf9f9897109a95d2bc0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\011c8311cae1ccf9f9897109a95d2bc0_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\51cdF_RQLr.dll",Install C:\Users\Admin\AppData\Local\Temp\51cdF_RQLr
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\51cdF_RQLr
    Filesize

    1024B

    MD5

    85de7e6bd817b6c42a2354b4cf348b98

    SHA1

    01729ba51c7b7acb9bb920fb41bcf4d6f4aa4a6c

    SHA256

    06445b7e8cbde1cbfffcc67e16562f4b01ceced5f6ffa21f6ff497304ad03966

    SHA512

    e2b40b9a72e75624135b8fc042f18cd3b1686bf7901791e3cdd98500193bf94e5ee9ef03c4539fba731d0a204f2b5a15d5b2c0f4b6a0b6c0f36c86391da4fce9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51cdF_RQLr.dll
    Filesize

    89KB

    MD5

    7a06cb307f802c120609c0b3c1e963a9

    SHA1

    2bda4b275422ea6138b12efaeefcb9e279f1de95

    SHA256

    292340cb04147497e7828986c55765e24bc863ab8e3066b317d78032beab984a

    SHA512

    a38c7cfb714859ddca000390bae3c4dc5a4cf88db2e974168bf1270b0740568630ce2afd63cb6b663c7df9296a97d2c0dbc0968b2eaaab74487cd179876752a6

    Download Submit

  • memory/2568-4-0x00000000026B0000-0x00000000026C4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2568-5-0x00000000026D0000-0x00000000026E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2568-6-0x0000000002790000-0x00000000027A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2568-8-0x00000000026D0000-0x00000000026E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2568-9-0x0000000002790000-0x00000000027A4000-memory.dmp

    Filesize

    80KB

    Download