Overview

overview

7

Static

static

3

0d3f3c01dd...18.exe

windows7-x64

7

0d3f3c01dd...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.exe

windows7-x64

1

$PLUGINSDI...er.exe

windows10-2004-x64

6

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 01:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d3f3c01ddfe3da2226fd7dea710765b_JaffaCakes118.exe

  • Size

    281KB

  • MD5

    0d3f3c01ddfe3da2226fd7dea710765b

  • SHA1

    2c6b244dca969825ae8f33a123e3fed32d4d775f

  • SHA256

    a52528ae7377fd3b68b133a681906b099e1dedfa357e91722b663d2a2a48a8f1

  • SHA512

    225dbead617cea7267dcc63b3fe3f1d5802a26dbdeeb42904f42d83aefe983179eec736a9c36a83c7c349bd06d4600cf3110687278aa35ed72780efef2fdcf14

  • SSDEEP

    6144:ksaocyLCjFCjn1DtNpVB/F+IbpQlxetnEEDUbqiT:ktobaknlfP+IlrHDUmiT

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3f3c01ddfe3da2226fd7dea710765b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3f3c01ddfe3da2226fd7dea710765b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\nstD4AF.tmp\installer.exe
      C:\Users\Admin\AppData\Local\Temp\nstD4AF.tmp\installer.exe 4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe /t /dT132281712S /e6334247 /u4d48823a-b8b4-4f4d-b72e-794a5bc06ebe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\nstD4AF.tmp\4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
        /t /dT132281712S /e6334247 /u4d48823a-b8b4-4f4d-b72e-794a5bc06ebe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2152

Network

  • flag-us
    DNS
    api.downloadmr.com
    4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
    Remote address:
    8.8.8.8:53
    Request
    api.downloadmr.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    api.downloadmr.com
    dns
    4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
    64 B
     120 B
     1
    1

    DNS Request

    api.downloadmr.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nstD4AF.tmp\4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
    Filesize

    249KB

    MD5

    e5fdaf113b510ceaf5672d7af36eaa75

    SHA1

    ee4c3b6d2343650926944869a07e31a9a2a4ffc5

    SHA256

    d4f2a25d2831f368313160bf2e2983264426ba9e4027447440b5a3ee8bb8b526

    SHA512

    f55acf149353251d44d768381a9256f509c62e24479775a24924c584a29fd7cdc2f705b84318a0280ca9731c6c3b4be993045e2e925cd42ef7a9e64e21e584a8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstD4AF.tmp\installer.exe
    Filesize

    207KB

    MD5

    de8e9cb3a534359f5809b9c5980ce365

    SHA1

    34def3bd6d46a97daa546671513733b9a94c1e8a

    SHA256

    653db07daeedb23437e723f00ab4f7320e5bb6e6689e38e54896ee44d84cfc71

    SHA512

    dffe030837a4babfb06419ffd893f54b9856e0f1aafb320e923a7a4aea894154207b0f2998fd0ecaaf0105c6ff1bed95d93a8ae2f531e1c8c3aca248a35b1fe2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstD4AF.tmp\nsExec.dll
    Filesize

    8KB

    MD5

    249ae678f0dac4c625c6de6aca53823a

    SHA1

    6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

    SHA256

    7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

    SHA512

    66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

    Download Submit

  • memory/2096-32-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2152-23-0x0000000073D30000-0x00000000742DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2152-27-0x0000000073D30000-0x00000000742DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2152-24-0x0000000073D30000-0x00000000742DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2152-22-0x0000000073D31000-0x0000000073D32000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-14-0x00000000005A0000-0x00000000005C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2380-21-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-25-0x000007FEF55DE000-0x000007FEF55DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-26-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-16-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-28-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2380-13-0x000007FEF55DE000-0x000007FEF55DF000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.