Overview

overview

8

Static

static

3

2883f59a81...18.exe

windows7-x64

4

2883f59a81...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 01:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2883f59a81f9e6ff058f7fc25d1f725f_JaffaCakes118.exe

  • Size

    146KB

  • MD5

    2883f59a81f9e6ff058f7fc25d1f725f

  • SHA1

    fe1b6a500b5eabce45e8b0e199b5ddf57d479f3f

  • SHA256

    6737a5c406a2cc5415730091ab506468dab63fc0fdbe74fab0da76eb8b970ea7

  • SHA512

    05d482bcc11817f7d904183e8e689ad848cf1403a0e65ba34bc731bae3f804d7c1ce9d7b1813a8f4fa0f7d444b89b21e77147fded97dc1009c15ff9a0363216d

  • SSDEEP

    3072:wPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkJdoGTIcg:wPhaCEHpMGljt/RYkLBo

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 6 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2883f59a81f9e6ff058f7fc25d1f725f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2883f59a81f9e6ff058f7fc25d1f725f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt3552.bat
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im ecplor*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rpstat.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im npver.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im setup.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im spoolsv.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im task.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2816

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\bt3552.bat
            Filesize

            710B

            MD5

            bb2f79cdc22df3a9a04494be6f462c19

            SHA1

            26b4e5d607b6fea41aa3ce9dad00ebe4ac0c0757

            SHA256

            bca482b1a6181bb4ce562d88cd1eac50f2f113fb92e7e9acaeab1d0a5522a540

            SHA512

            e9c21bc99a6d89c445d99d1cbd29f773d21e1179a949b52223c6e699c7cc8080a43fc44938804e678a2f8e26deef029606e649038665fa948a2b6f02c77878cf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\task.bat
            Filesize

            153B

            MD5

            00194d75abb515776b2c20f6776ae190

            SHA1

            d2440e2a9ae24da4953060680897d67f4c15b09b

            SHA256

            29b3c460c4f279f3e7728c64d672f4bd9b32b39c8c45e2ba67e74e747b26c1de

            SHA512

            f7d9dcd8a85f7e8cf6bdf1f6f6b68d52d8fe50928ff14f0427af6a04ffc78dc88664e28b2c5aa4c638fdb68555686c3334055839e02647d40315974f3bda9457

            Download Submit

          • memory/2336-22-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download