Overview

overview

7

Static

static

3

2e7b108421...18.exe

windows7-x64

7

2e7b108421...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e7b108421af7991767212ec8181dbe4_JaffaCakes118.exe

  • Size

    85KB

  • MD5

    2e7b108421af7991767212ec8181dbe4

  • SHA1

    7bec6461d6c584eb574a2b3b36a66d93f7aebf2a

  • SHA256

    06236f5e9601e2975083dee8b72ce3b4aa6276ae99d10484690382a3d6e8be1f

  • SHA512

    8401c6bedc2c461689783ea10d17af3580abf503c13b933499cf5846e794e53cdc7c5e2660ec1ab2df6fb9991a9d3e6031fe5ae412c5dd7e8196d5e3ed45a19a

  • SSDEEP

    1536:JsyqFg7lCFmISPgrpdEqvYGjF6YzR2HQsfGhWia0vggxuVTusdNZ9qV:JJov42puqvYPYzgwOkHaIggxMusdZqV

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e7b108421af7991767212ec8181dbe4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e7b108421af7991767212ec8181dbe4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lol.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2796
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      PID:4564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lol.bat
    Filesize

    6B

    MD5

    92c0ff1cdacfd222da400745284379eb

    SHA1

    8691414b5ef3645fbdf2a70a19638553512d2a8b

    SHA256

    171c569aafa210816742b001de884513353f51f93d571f9bcf2d2a37634e1cd5

    SHA512

    b12e1f9616269a0e84d4fb294252122631883d5b4b6e0828c069bc80db0794cdafe1e6f1d0d100ba0f0856ce4ecf7787ae3463a5e1c21019450d0164a785bfbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    52KB

    MD5

    17d2c0ae91199af03f1a65b9b4c318e8

    SHA1

    56d57dbaf9be415da11169610b12381b31ce33b9

    SHA256

    1eac4bfff06cb44459a6296e19f4188013b022d800ce681e5c75d8a444cc1039

    SHA512

    f1198a8c58ca06e47db1732b58c648dcf26ce98b6e5d3e464ad6ea80b8a071225f9db72b3d6ecbd6d403175040980f7400b842ed7d9c6fdc7bfe9fdb2de8ab7f

    Download Submit

  • memory/4024-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4024-12-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download