Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 22:04

General

  • Target

    114923912de5c2f125812a476724ce51_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    114923912de5c2f125812a476724ce51

  • SHA1

    1bc16556b93ec6118d47a761098ebde9de4db657

  • SHA256

    a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a

  • SHA512

    361afadb639d7f8c6115e5a815992dfb00188d07f36a750e7b8e72ea33699bbf4686f50cb41ddace6eb7abda46740dc0f5dfaadf5f94ea17adf79b9db2c454c6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0xEp:hDXWipuE+K3/SSHgxm0Cp

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\DEM213F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM213F.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3596
            • C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:996
              • C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe"
                7⤵
                • Executes dropped EXE
                PID:2100
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM213F.exe

      Filesize

      15KB

      MD5

      06d8cece62939908437637fea966c759

      SHA1

      8b0c2ae1f82bef68778926dff312598871a4812b

      SHA256

      1d8c24f0cf153e639cbc7f101ec6ae23ab5729fb9d5d2ffc2ade1cdf99a3e4ec

      SHA512

      3219282ee165b620115a3fe6dd2b55cb595cfae3f92085d92eb49a6c6bec7aef589ef446f902e739a91396a97f39c13b3b118e61688ee14d8d77f8c304c474df

    • C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe

      Filesize

      15KB

      MD5

      ad957d8aa394eb4e2300b00d85f1769d

      SHA1

      6afc2af9c0691de482a5b605b8f01778a6431a68

      SHA256

      2625ec9c518e16d62afa230775257390538550e002a1e8245eaf0b7c8427f7d8

      SHA512

      587c454cc35b247bbe0d90003ac154722e3312b2007c86502ee3cd2910aee9089447439af698e86ea798eaeef468dcc3abedb4e4db3483a60c16afd4f3da11b7

    • C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe

      Filesize

      15KB

      MD5

      07208def1b7c01ff9d24abf8ae9a88c3

      SHA1

      8dce02cde3a96a4313ce4c66d72cbbbde88e6deb

      SHA256

      5a153fda7361f3218ae24816fd76581d6c17512fcef0e264f37905c9da0458be

      SHA512

      3ff8d15ea314a09b57c5f39e1101f63c35c39f54cf4f5b0675d32b91f9878fa8218b24104c9e451e9a19bf42edacf75e27fbc8238d9ff1b4366fc693e9f1fbe4

    • C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe

      Filesize

      15KB

      MD5

      1926acc5afc1ed841b5b05a189f92c53

      SHA1

      57c2094a36f28db854c4a91c41626b181fce3f36

      SHA256

      cfbfdfdc798747b45f3a2bd11a67414d598817739c00738d1460f5ef61e0b219

      SHA512

      efbf3b79bbc9e8c59b3ed3ccc7e15982ee1a3fea4b0065944085d1665302922414369b313fd527015531c1b22a95fdafbd5ab65297618be18c86d14d1616c5a1

    • C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe

      Filesize

      15KB

      MD5

      785f1c0d2f4998af44c352da25966487

      SHA1

      4e53de2a326c7fec99d6d9910b6fc891a544b630

      SHA256

      b9e81fd334a3838583e73b1a2c203d74ff42dd28140abb659e939102cfc79fee

      SHA512

      fc7e6278d87c1eac7535da25b55e48f801c7f2de346ea334f8d28612f9c306cc59a94ecb8fac36b3f01a29eac483614a63082cb417519021f37cb179054f368e

    • C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe

      Filesize

      15KB

      MD5

      47ec214204fe0363be6d3695b8bd7c18

      SHA1

      1d10dbb5e7763d34bf6f38fd4dd7052e1b595026

      SHA256

      06c57abf9fdc618599d2242870aa90bb90e6ab04c502defe1601acfc7d7cd96e

      SHA512

      db95692e243fc75e43d32c29e63f615a2be03ddff2c1ae23d53884a09e99ed8536e9a603594441b4b52841fcbda44c5ca606d43d72f882fd2b0bedc85e8577ad