Overview

overview

8

Static

static

3

2f65c0f758...18.exe

windows7-x64

8

2f65c0f758...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f65c0f7587d113d0fe97d10e3847882_JaffaCakes118.exe

  • Size

    72KB

  • MD5

    2f65c0f7587d113d0fe97d10e3847882

  • SHA1

    f97e61b40fc7e6b001d45fb7d44fda689d05529b

  • SHA256

    0dd8a1d3f0c5f4d42680eb46c85b47f74f3f0b20801fe969a9b73420e2e8904d

  • SHA512

    7e30eec8c0e9310b62e0697eafe161339b9cca2f5b4e7a3e684c1f6323d0638598296466bbb77b1a7ce8e817c35938767972d026ab447ae41d82461a380253b3

  • SSDEEP

    1536:Iid9QmncCR3QTt839OFo84X5Mk/oj7WDdNfsuhGnnnnnnnrt:I6Qa3ut8NRrXhoj7O2t

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f65c0f7587d113d0fe97d10e3847882_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f65c0f7587d113d0fe97d10e3847882_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    PID:968
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "e578b48"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\fi.txt
    Filesize

    4KB

    MD5

    029c751f6df556ba8253de55c3294f6a

    SHA1

    da73deb150f093576f9227a3bbe5f70d090e57bc

    SHA256

    d7681fcf80a5b7a5a8296fcc74ed37c917a9343a594b45d7165a207e81a8a772

    SHA512

    b31c15f093e0cc5abfda72c145e877d628e3b28c2f9a853dedd4502e56f8e11c1f06d2fbe35760012fb7936adbef4094e558d38bf1873e79658266e1b14a5280

    Download Submit

  • C:\Windows\SysWOW64\msimage.dat
    Filesize

    64KB

    MD5

    78e30a9d732ac12fc91fa494596d6286

    SHA1

    b30239269a66bd9a9a462e279713c550e5f4aafe

    SHA256

    55149cc3b22f3ffdc2c20b445ebd54120509065f9b52605c00fa66a5baa6850b

    SHA512

    0fd9b30018dfb2275f4cf72db2858242cd09c8baee19a272834e16a15845ebfde7b48ccd8e506b0a0a6f602e9a3e1ad2e342276968f927d9104b96633452e9a3

    Download Submit

  • \??\c:\windows\SysWOW64\e578b48.dll
    Filesize

    10KB

    MD5

    a0a8568d96319bf48c4e5dd6dfde1138

    SHA1

    e0c018d32f0020cffffef75fd5f46527a426e115

    SHA256

    9db133aaa9f0c6b2a953102a8876f359b281dc8b26151f5866f4e4792ea391b2

    SHA512

    672aa7ffb2cea55f0a57c695db31026e5db38df6fbed4909ac33fe6f5eb1f4549d39f7ffe1c33458dd97cfff965917dc025af394f6e43529497816846ab869c8

    Download Submit

  • memory/968-4-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1468-8-0x00000000009F0000-0x0000000000A00000-memory.dmp

    Filesize

    64KB

    Download