Overview

overview

10

Static

static

1

0a51c0a0fe...18.exe

windows7-x64

10

0a51c0a0fe...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a51c0a0fed6e716db219f51a20601cb_JaffaCakes118.exe

  • Size

    29KB

  • MD5

    0a51c0a0fed6e716db219f51a20601cb

  • SHA1

    d7e829d27ebf8f31310bdb8a3cb3f0deaee93c3d

  • SHA256

    bd908235b7a22d5594b920c79c9b232f097b72ac404f5643c404a52c2e570b6f

  • SHA512

    a2abf0b38d70bf975149a5399154e4bb1ba16960061840ccea5e00b853e24b98ed196fef12bfc620d8902755dee87ac3edbd9a216263cc353f5c6733b158304f

  • SSDEEP

    384:Y4YrQkGxhMRN5Z9ST8QyApk1jA/YYJLW7wycJbg+:YtqMRTm8QDQjA/tLhbB

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a51c0a0fed6e716db219f51a20601cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a51c0a0fed6e716db219f51a20601cb_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\0a51c0a0fed6e716db219f51a20601cb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0a51c0a0fed6e716db219f51a20601cb_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\Googlemt.exe
        "C:\Windows\Googlemt.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\Googlemt.exe
          "C:\Windows\Googlemt.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Deletes itself
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MyTemp
    Filesize

    84B

    MD5

    7e71d6e1b70443bcbf9d4f328ce1f3f6

    SHA1

    cb934ed847d5874ac93e0501abf0f38207f7185f

    SHA256

    e2dcfd5d2d5553982832e3b418b2b13eb063183d4a251b974a1661a37bfed580

    SHA512

    e91fe4d86dec4ad4691837fe919109da62e276165f3ba75a363c1892782be7ecd78ff2942620675fc85a83dc47ecfb482f217a5893d4bb485320496e6b870b22

    Download Submit

  • C:\Windows\Googlemt.exe
    Filesize

    7.6MB

    MD5

    576e3093f4d759a895fb9bd710231065

    SHA1

    7d664d93915f9111c76f21a1e8203a6e2fd8d3ef

    SHA256

    d1a53488d07001447299bfa13465604f8d6b2ec2e47569f2f00b24815336abe6

    SHA512

    f3b24699567937b918a73f9e343121f4a87c8b5bce9c30068ac3440ed5c9e43d7f3258d7cfebb1425520e134a5c69221c241d5beddd0401692f7317a60249ed2

    Download Submit