Overview

overview

10

Static

static

3

3d0a495b35...18.exe

windows7-x64

10

3d0a495b35...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d0a495b352a73e2361df387140fd8d7_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    3d0a495b352a73e2361df387140fd8d7

  • SHA1

    a016ec3fab6bb7f451dc42e8cb573ef6e14b3b9c

  • SHA256

    d7da39e460637330662f181c3481800658582d4728114023d803fca8d65538dc

  • SHA512

    44e5e75667dcdf7a35140c9939b3c8655b9be999b3006967cafc1ea09719ad32846b90bf59c1a973d82c322248fcb7a431f7f5ea223a01628cd0823181930ab7

  • SSDEEP

    384:JSETnMZEj5MZINTMKg6Bb7QbmuDWMFCiSsLB:JSmMZEAAT9Bb7Q3BxLB

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d0a495b352a73e2361df387140fd8d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d0a495b352a73e2361df387140fd8d7_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\8028.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8028.tmp.bat
    Filesize

    207B

    MD5

    af3ea4c2d67b92cde757a1104e281344

    SHA1

    382242a53cd8bdee0d262ae6ef161aba352a14f8

    SHA256

    9bee85255462c58a75ce4ce882c9e329a7d8c3755aace0ba383796716448ce4f

    SHA512

    93c3c569cbc954b22611928c14e1213d0a45388e6711a5a464fe4cc3e570894a3f421e9571fc4a8e715cf19695d842aba71b21b4472a2e5c58d59cb1f6d4f789

    Download Submit

  • C:\Windows\SysWOW64\bootvidgj.nls
    Filesize

    428B

    MD5

    d01923a9d90d44021f9251db2212d9df

    SHA1

    328c5167bc76654070b0e1205429938f6d6cb4df

    SHA256

    77e149e8b78d74a2a49cd311ba19ac3a2274c13949ce57587f60264486bcb971

    SHA512

    61f5cf9c0a34e3f16e4015a1c84c1c5b03cae5b37b018a8d11aaf5fcaffe06d4afa8192099f7c8a08912e24d8378dacdc0e3291ed9eeeb6f86f391aee81cb737

    Download Submit

  • C:\Windows\SysWOW64\bootvidgj.tmp
    Filesize

    749KB

    MD5

    33ecfb0950d1ef2a16c23aed83071756

    SHA1

    192d732d302297b5c39e481b772abe3c51b11ea4

    SHA256

    e7143f3533700a534bfa838065fd9e633d09b4b4180dfd1b6ae6857897785759

    SHA512

    4e3de83cf950ca0e7e20c74e17fd369b49fa91c781d98895d60a054ffe138678a81d1b584c7b1b978536f3a84b0bfd3e06b9f8e2d2abf8c629198b0ca272b0d9

    Download Submit

  • memory/3068-16-0x0000000020000000-0x000000002000A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3068-25-0x0000000020000000-0x000000002000A000-memory.dmp

    Filesize

    40KB

    Download