Overview

overview

10

Static

static

3

5671ea6350...18.exe

windows7-x64

10

5671ea6350...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5671ea63501167a6ca46a9e757a59686_JaffaCakes118.exe

  • Size

    228KB

  • MD5

    5671ea63501167a6ca46a9e757a59686

  • SHA1

    9e2202e040ecaf88f4e852675fdbadffe45f7a40

  • SHA256

    e387ff9fecbcd2a404d1dc5c2fcbc47dcf62671f99e8f25ee8f02c025534366b

  • SHA512

    7aaecab3c65d04d0c2705ac6d96b7b28e4b65a83c359b589a7365ac62bd6e47ed8514249c6d8ad2f2c79b73a29a080eaa99b0541b838b054fc78e73ee3dbafc2

  • SSDEEP

    6144:UQ0e9bEeUsviYNFYOybLBzt/VkXjdJl5dJso+YsG:UQ0Obp5qCybP/VkXjDjdov

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5671ea63501167a6ca46a9e757a59686_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5671ea63501167a6ca46a9e757a59686_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\gaoamo.exe
      "C:\Users\Admin\gaoamo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\gaoamo.exe
    Filesize

    228KB

    MD5

    199571beac14dc5b7f23141937d44968

    SHA1

    fdb329896a447b702ae70f14bbb777b6e985c677

    SHA256

    97d7fac6ae4aabccbd56dbd04c07afbe5032669ff9ad331039eee731955ec1a6

    SHA512

    1678dc846b86171d759fdfdde73bc7460afeb71992da0db8302a339e80f8ff4af7b9a7f03d959c0607b115362c1ae4a9206af674d4c7f0e8480dbb06a30df8e0

    Download Submit