Overview

overview

10

Static

static

3

270e2ed6d3...18.exe

windows7-x64

10

270e2ed6d3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    270e2ed6d36d28c060055cc04529216a_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    270e2ed6d36d28c060055cc04529216a

  • SHA1

    53bf66aeb2442dc3392450d279c32e8083d2de1f

  • SHA256

    f4c78fc3fa8e9d3fcd358c2aedbab28734ec076cdc4817d89c3a311cc895aa8b

  • SHA512

    35d27429a43302a078b20989e71987c8bcdf49b0973aaaca01afdf2017dd47920b49c853430db62591dc4813030d33149fa050598bb192587ad731ee0d821a55

  • SSDEEP

    1536:g8PQsYnmkiw+667MIBf28zPJtC6IoD/QWgxektFAo11C:3PQsAmLf2RxIP

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\270e2ed6d36d28c060055cc04529216a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\270e2ed6d36d28c060055cc04529216a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\raecom.exe
      "C:\Users\Admin\raecom.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\raecom.exe
          Filesize

          368KB

          MD5

          07554ca4859a2901775b1c11289e1ef9

          SHA1

          1c68eb6070f7e159a484cae7de40e925a9a1dea7

          SHA256

          8c851ef3111d2e0025499db420fdeb29a706a3a0d3a06d50a5eac331744c7af3

          SHA512

          d14d40c61941325da5653e4c0b322486d03647cbecfc8d099dd296600ae1bc62861f96e90fd8b98e708cfa41c80d251b8ef2d0ccfddde218af3ff359b0ab1491

          Download Submit