Analysis

  • max time kernel
    207s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 00:13

General

  • Target

    b3e0309a3f7238b44a3af4407fa710c0892726af19084c22688d7f2b9c958216.exe

  • Size

    232KB

  • MD5

    78d104714b78cca381f3927964cf938a

  • SHA1

    ce149aa1486815a1215fd6592cb9e4f9da221094

  • SHA256

    b3e0309a3f7238b44a3af4407fa710c0892726af19084c22688d7f2b9c958216

  • SHA512

    aa4c0d33509c393869f61db90f4a2cd2e566e747f9babfe651ed2b176d6b6e561d32a45bdb4111dce28a3d3bb1e03682b86542582db9e537732baf9f70b3b2f5

  • SSDEEP

    3072:MpMeBchnYwN1Smm727IJCkvIwXX4Ph0ApMX3KKl+Hv/91I/2XOlDaE:MpPBcdYwN1S327Y54Ph0TX1kd18COP

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3e0309a3f7238b44a3af4407fa710c0892726af19084c22688d7f2b9c958216.exe
    "C:\Users\Admin\AppData\Local\Temp\b3e0309a3f7238b44a3af4407fa710c0892726af19084c22688d7f2b9c958216.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\jaiko.exe
      "C:\Users\Admin\jaiko.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jaiko.exe

    Filesize

    232KB

    MD5

    5af2862824d03b52bd3d08119f0d6c74

    SHA1

    c53a465633f98602a42d59ad1d1ad51fd632c440

    SHA256

    89926c2214c5f8d077c466bc1bf6738c69c134239c0f24a3224e46d2b47cbe41

    SHA512

    3bba92069ea71e111ae67fc3f821d21d89b6992eaa0e6039cf5e0867102a383c88340559a9d736719baec7ebf26a11bc0d46d8b6f4046f5481cba45a453a79f3

  • C:\Users\Admin\jaiko.exe

    Filesize

    232KB

    MD5

    5af2862824d03b52bd3d08119f0d6c74

    SHA1

    c53a465633f98602a42d59ad1d1ad51fd632c440

    SHA256

    89926c2214c5f8d077c466bc1bf6738c69c134239c0f24a3224e46d2b47cbe41

    SHA512

    3bba92069ea71e111ae67fc3f821d21d89b6992eaa0e6039cf5e0867102a383c88340559a9d736719baec7ebf26a11bc0d46d8b6f4046f5481cba45a453a79f3

  • memory/3084-134-0x0000000000000000-mapping.dmp