Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 07:08

General

  • Target

    1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    1bc5ac86fe53c6ef51a763c704eb36b6

  • SHA1

    6409c5d206f6851829895c0887e5e85b7433c706

  • SHA256

    fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43

  • SHA512

    f8ee14d99f71161e38032e2dbe4e4b55e18bf38d7c1dadb00d5cc61886b0bc054bc9a74b43f5913bdcd8114f37ce6a6cf34039b00321c2ed316c5ac8d7eac377

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBmSN:hDXWipuE+K3/SSHgxmMISN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\DEM4011.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4011.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4916
            • C:\Users\Admin\AppData\Local\Temp\DEM9621.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9621.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe"
                7⤵
                • Executes dropped EXE
                PID:4936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe

    Filesize

    15KB

    MD5

    ae36a038781988c683669309f8991559

    SHA1

    12a92f1c60ce40b40243966b0c223cbb4edb387a

    SHA256

    e0615d2074a1e1db8d6e6d7c9d4a98d922dec122c299b8779c8920d54332d13a

    SHA512

    59888234ea1b50cff3e0a6ac1bab5199a32fd1d65cab8957cb87cf203cdb7278522a99f7d2c99148bb2e6ba6bc45b7e54eac266e2ec43846c54c168254b8614e

  • C:\Users\Admin\AppData\Local\Temp\DEM4011.exe

    Filesize

    15KB

    MD5

    4de7f9d6d7f294cb0e0c5dd45b1ff423

    SHA1

    53fd9562b044baca005053cfc4484bf41d0703b5

    SHA256

    204fc3721fa92d06b58026785a03a41e95d110240c88438060e550054fa2e7f1

    SHA512

    70342f455558149bff24c79d0bbb287c5f9714402ed5da11582c210a249a919ed9ea517da8142977fcd9e5596c9e5b582ee8e80fe9f58510bb707885435dded6

  • C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe

    Filesize

    15KB

    MD5

    09c768d77d5bf0ce207b031459f58ac1

    SHA1

    35de32a0079a050065deb032eaf0e6b5cdce391c

    SHA256

    54ee7394ac50774b65cc8409ca0f4408a03eb043ac312e2852e9c26f6babfa5d

    SHA512

    11d82a935a54769e859868c90515948bf1c006d4904afe5324ccfbe0d84b22ed52609df45aad2034ebfbaf9787ffc1854e3a7f4f1df46b4a16906283d536155c

  • C:\Users\Admin\AppData\Local\Temp\DEM9621.exe

    Filesize

    15KB

    MD5

    92757e059ffdd459b962e1bf93606157

    SHA1

    89baa143649b4de0fef506e1e1e69b0735320b0a

    SHA256

    4533ddbf04c74c08038d8189aaf5080690f2784d84286caadf01aa53191dc59e

    SHA512

    6b2c90c2a750b2cf9ce6aa3214d6e87c03051d5271091a73ad938bb951ac6b7a5e84db78f0ea8b0029e1f13e26d1c39bb6dbbd5b0c900466995701975a6cfae9

  • C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe

    Filesize

    15KB

    MD5

    ec657f1d2fdc53ba5ee40c94eebe3136

    SHA1

    a016acc3993772673556f29f2ee9187864335e20

    SHA256

    974ff0f2cd770b1e49b686beace666ee875f7f07ee40cb27be8a6e8e07ed789c

    SHA512

    882228854ea9c5117d897fee4aa50ce77986f014639bfb8c408cf1ecfb1005942034babff2d36d399989c82b82a20cc0d04ba330d045feb246eacf912aa526cf

  • C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe

    Filesize

    15KB

    MD5

    3eaf2728604d48a4c57d42b405114271

    SHA1

    6ab20c101806fe3973a7964059153da854608d68

    SHA256

    66cc9e756e3186fc7be5e56942cc9a8f8f6bb5f096e8d37579d233495061cf7a

    SHA512

    0a82cb4fcb3116b7b111537eb517f4c6daec0a036df601e0647a0006910c90b21867a7a855b2b31f5f32d26baf5cbe500d0b822c89efda610a3fb56503233df1