Overview

overview

7

Static

static

3

0413a4bb8e...18.exe

windows7-x64

7

0413a4bb8e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0413a4bb8e532da06d001a3cd660675f_JaffaCakes118.exe

  • Size

    806KB

  • MD5

    0413a4bb8e532da06d001a3cd660675f

  • SHA1

    c9c624619788cf0f2944a003770b8c8d18757e6a

  • SHA256

    6a94716648b6b9de0d42af03628d0578500bd1cdf063ce4ae55db5b0b92bc89a

  • SHA512

    110e60fdcf9537dfbe04e9d73fbbfadb28f2824a50bc5e76e9879fa663830e3629c0633becb9f34ea74e0f39ca2bac8e94b13e6f8735d00c4f1da5f8bd18d875

  • SSDEEP

    12288:BGBrhBXzUNXocDtm+IAvFno+kO9HOdhaxNJnLb6YE9e+jQLcJ:UBHzUnY+/F1kOZkha/ZyYE46nJ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0413a4bb8e532da06d001a3cd660675f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0413a4bb8e532da06d001a3cd660675f_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wdfmgrs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wdfmgrs.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Patch.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Patch.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4848
  • C:\Windows\SysWOW64\wdfmgrs.exe
    C:\Windows\SysWOW64\wdfmgrs.exe -service
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4996
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x424 0x33c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Patch.exe
    Filesize

    322KB

    MD5

    7cc287473498bc328dc272f2d12db44a

    SHA1

    830ba3d81893027ec5ab146c98cc4a6686be70e3

    SHA256

    6df8010fd70d2ced8bedb3d7130652675c376534f806e1c8ea564419e3b86215

    SHA512

    09a45475265726212aa7747ffc1b5ab4cc5cf9725b54938391316bf94f1f0a797eb9105ab81e12f26a312f4241de4c0150a608570b11de2857a1d46e5804f9d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wdfmgrs.exe
    Filesize

    517KB

    MD5

    d1254edca9a72083e11a94feefafe8df

    SHA1

    4c22e786134c8339f423c2fa09bffccdf8868b01

    SHA256

    6a8f36d163a4fc4022579c32e24a28c170ae499e8661ea03e1300f98101c6584

    SHA512

    6deee1aec34992b19b5fcc6df6f38a9c789293c350180d5baf1bb2f0cf01885ae71942bbf53d22a458481ed30b395b5e2d62f1a5c02e0bcde667cb89ff6548c3

    Download Submit

  • C:\Windows\SysWOW64\BASSMOD.dll
    Filesize

    33KB

    MD5

    e4ec57e8508c5c4040383ebe6d367928

    SHA1

    b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

    SHA256

    8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

    SHA512

    77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    Download Submit

  • memory/1720-24-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-7-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-8-0x000000000054D000-0x000000000054E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-10-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-12-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-11-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-9-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-14-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1720-13-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4848-47-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-54-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-64-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-62-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-27-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4848-60-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-33-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-58-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-36-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-37-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-39-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-56-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-41-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-43-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-45-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-52-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-49-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4848-51-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4996-18-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-22-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-40-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-34-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-20-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-19-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4996-21-0x0000000000400000-0x0000000000574000-memory.dmp

    Filesize

    1.5MB

    Download