Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 05:22

General

  • Target

    b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe

  • Size

    26KB

  • MD5

    b4f6d746ce496bb0352fa083b209e629

  • SHA1

    709bde1685ffc834580fa19c4729b42f8fd77a7f

  • SHA256

    dd496517c1db326ad4862c58fc183f52dcd6967e86a8810af47101ae6df3cfda

  • SHA512

    a5e193476f7810734b0d164466dfbd65c4cf2a51ff77d65b193a7760bd6a3669f04bbf36b53731f362b6ad6ab5cee96c00b12b406d9ea0b7c5daf06224648120

  • SSDEEP

    384:DZyrOAVI7cfceEAQ1uLsH7tns5NxTwnstZ0rlDPBdrhMIQ0crqBCDS5oqGAEjpe8:DZJAGc3EdQC5nST9ihBMfryC25oIOZQM

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\NTdhcp.exe
      C:\Windows\system32\NTdhcp.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Deleteme.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Deleteme.bat

    Filesize

    212B

    MD5

    2a66ccbbc1a1c72cb060bafa3f4a4c6c

    SHA1

    461e55470fb07972551046b18960fd6267f55cb9

    SHA256

    adf3c1f187ea76d25989aeb730b34762934f9f111c2d94d54cf2a87da255138c

    SHA512

    fa1a8e2cbc55cc4fe369bd4bb2a16fe4503cd1545902dca1e515fe88ddcfea71d19cda281fb2dbb03d75e2ad5829943f47ed55c4c5392596bd289b5707fe6ddc

  • C:\Windows\SysWOW64\NTdhcp.exe

    Filesize

    26KB

    MD5

    b4f6d746ce496bb0352fa083b209e629

    SHA1

    709bde1685ffc834580fa19c4729b42f8fd77a7f

    SHA256

    dd496517c1db326ad4862c58fc183f52dcd6967e86a8810af47101ae6df3cfda

    SHA512

    a5e193476f7810734b0d164466dfbd65c4cf2a51ff77d65b193a7760bd6a3669f04bbf36b53731f362b6ad6ab5cee96c00b12b406d9ea0b7c5daf06224648120

  • memory/720-21-0x0000000000400000-0x0000000000416200-memory.dmp

    Filesize

    88KB

  • memory/720-12-0x0000000000400000-0x0000000000416200-memory.dmp

    Filesize

    88KB

  • memory/2032-0-0x0000000000400000-0x0000000000416200-memory.dmp

    Filesize

    88KB

  • memory/2032-24-0x0000000000400000-0x0000000000416200-memory.dmp

    Filesize

    88KB

  • memory/2032-10-0x00000000001B0000-0x00000000001C7000-memory.dmp

    Filesize

    92KB

  • memory/2032-9-0x00000000001B0000-0x00000000001C7000-memory.dmp

    Filesize

    92KB