Overview

overview

7

Static

static

3

0c418c323d...18.exe

windows7-x64

7

0c418c323d...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 19:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0c418c323d3add04390e99d2d52fd0dd_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    0c418c323d3add04390e99d2d52fd0dd

  • SHA1

    a360e2dbcb12476d7403ec2b05835b55e63f98f6

  • SHA256

    e4773f9190b39e602e586b626ae754dbfc4ba5461dbc2bbdee8a96b8165929ee

  • SHA512

    8f4151432a31cea2e79252f527a0df316bc35bd57ce4536b7a536e1ea72bce678ad890e48ecdb488fc9347ff960b6636d197e5cce41a9d9907e1a25e97ff4c98

  • SSDEEP

    3072:y1Xm4k5B7JLUxukQqt0361QyXW0koIPWgihWqg8lI1yXSz9oil:Emj7NA+qjlI16Sz9oil

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c418c323d3add04390e99d2d52fd0dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c418c323d3add04390e99d2d52fd0dd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\0c418c323d3add04390e99d2d52fd0dd_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\0c418c323d3add04390e99d2d52fd0dd_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Users\Admin\AppData\Roaming\Shell32Shield.exe
        C:\Users\Admin\AppData\Roaming\Shell32Shield.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Users\Admin\AppData\Roaming\Shell32Shield.exe
          C:\Users\Admin\AppData\Roaming\Shell32Shield.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Users\Admin\AppData\Roaming\Shell32Update.exe
            C:\Users\Admin\AppData\Roaming\Shell32Update.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Users\Admin\AppData\Roaming\Shell32Update.exe
              C:\Users\Admin\AppData\Roaming\Shell32Update.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Enumerates connected drives
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1552

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\NewErrorPageTemplate[1]
          Filesize

          1KB

          MD5

          cdf81e591d9cbfb47a7f97a2bcdb70b9

          SHA1

          8f12010dfaacdecad77b70a3e781c707cf328496

          SHA256

          204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

          SHA512

          977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\dnserrordiagoff[1]
          Filesize

          1KB

          MD5

          47f581b112d58eda23ea8b2e08cf0ff0

          SHA1

          6ec1df5eaec1439573aef0fb96dabfc953305e5b

          SHA256

          b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

          SHA512

          187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\errorPageStrings[2]
          Filesize

          2KB

          MD5

          e3e4a98353f119b80b323302f26b78fa

          SHA1

          20ee35a370cdd3a8a7d04b506410300fd0a6a864

          SHA256

          9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

          SHA512

          d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\httpErrorPagesScripts[1]
          Filesize

          8KB

          MD5

          3f57b781cb3ef114dd0b665151571b7b

          SHA1

          ce6a63f996df3a1cccb81720e21204b825e0238c

          SHA256

          46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

          SHA512

          8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DatTemp.tmp
          Filesize

          2KB

          MD5

          8bfcf44eb468bd8d016c0a378f5ce3b6

          SHA1

          11afc64a4248bf6856fc4f8481d6b62f50f86143

          SHA256

          04aa3b55acb1d205869dda64310cd684169666980c1fc4f41d7364ee58a7f973

          SHA512

          3e445d11ba096b13fca27dd4a7cd620eff4a31f90163f91002128baf96ad95bf58f4dd7143ca59789701aacc55fd9d68400e6bff350e1781696cdf0a95754ea8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\699c4b9cdebca7aaea5193cae8a50098_d9071d2c-e5ad-4187-a976-30114bb93bf6
          Filesize

          50B

          MD5

          5b63d4dd8c04c88c0e30e494ec6a609a

          SHA1

          884d5a8bdc25fe794dc22ef9518009dcf0069d09

          SHA256

          4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

          SHA512

          15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

          Download Submit

        • \Users\Admin\AppData\Roaming\Shell32Shield.exe
          Filesize

          191KB

          MD5

          0c418c323d3add04390e99d2d52fd0dd

          SHA1

          a360e2dbcb12476d7403ec2b05835b55e63f98f6

          SHA256

          e4773f9190b39e602e586b626ae754dbfc4ba5461dbc2bbdee8a96b8165929ee

          SHA512

          8f4151432a31cea2e79252f527a0df316bc35bd57ce4536b7a536e1ea72bce678ad890e48ecdb488fc9347ff960b6636d197e5cce41a9d9907e1a25e97ff4c98

          Download Submit

        • memory/1552-304-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1552-431-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1552-432-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1552-305-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1552-434-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1552-422-0x0000000005BA0000-0x0000000005BFA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1552-309-0x0000000000830000-0x000000000087F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/1552-433-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1552-306-0x0000000000800000-0x0000000000825000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1808-146-0x0000000000400000-0x0000000000424001-memory.dmp

          Filesize

          144KB

          Download

        • memory/2080-303-0x0000000000400000-0x0000000000424001-memory.dmp

          Filesize

          144KB

          Download

        • memory/2080-293-0x0000000000820000-0x0000000000845000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2080-292-0x0000000000820000-0x0000000000845000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2104-286-0x00000000061F0000-0x0000000006215000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2104-264-0x0000000004D80000-0x0000000004EF5000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2104-423-0x0000000006660000-0x00000000066BA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2104-424-0x00000000061F0000-0x0000000006215000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2104-430-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2128-181-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2128-136-0x0000000005950000-0x0000000005975000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2128-131-0x0000000005950000-0x0000000005975000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2128-60-0x00000000048B0000-0x0000000004BF7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2128-11-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2128-8-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2296-0-0x0000000000400000-0x0000000000424001-memory.dmp

          Filesize

          144KB

          Download

        • memory/2296-10-0x0000000000400000-0x0000000000424001-memory.dmp

          Filesize

          144KB

          Download