Overview

overview

10

Static

static

5

JaffaCakes...29.exe

windows7-x64

10

JaffaCakes...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2025 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_51ecefa14a05190c415691079794b129.exe

  • Size

    13.7MB

  • MD5

    51ecefa14a05190c415691079794b129

  • SHA1

    7a9504c607c4bb949cfdad4e08ef2800fd25d6b3

  • SHA256

    7f620521abc1eab35ac1e9b42063fda2cae7e7e49dd7984c9fb7b33eacf16a59

  • SHA512

    e7e3a7e31d0f0194623eb803a2edfec6cba2fd4448d5ac882194fbfd279bd647973cdf4ad8be986b25b7025bc854814a3759145a3af3e98b6d6add4ad1bc023e

  • SSDEEP

    98304:Vbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbir:G

Score
10/10
vobfusdiscoverypersistenceupxworm

Malware Config

Signatures

  • Vobfus

    A widespread worm which spreads via network drives and removable media.

    wormvobfus
  • Vobfus family
    vobfus
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ecefa14a05190c415691079794b129.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ecefa14a05190c415691079794b129.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AG58FPQON.exe
    Filesize

    13.7MB

    MD5

    a331fe54b1e52b40af6aa00ccf948292

    SHA1

    56f739520e190bd86e95e66305c90eff7317d209

    SHA256

    55d4f7c925d1bfbc787423185ddd796bedf4098f3b58b61a6b9a03af3ef61500

    SHA512

    af96fdbdb538f2ebd90d073acb6702839d5ba12491e06faee293083923def64eeb9553a08745e4ceb8ae671e15568f032337f13fa5c7fbf680f4007dcabeaa23

    Download Submit

  • memory/2628-0-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-17-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-18-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-232-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download