Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 18:23

General

  • Target

    2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    2970e1c26ef472285f0888308b7f6e73

  • SHA1

    86953b3e9291f7a4585eef2e843055e2e2274744

  • SHA256

    5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94

  • SHA512

    87d7b25afc5c768092f5d6d0b99f9b10d56a2b696c29c9a9f3a78a1dad51901415652cc3b2edf2ab3e348af3a1b4d29f596b8c1f4e669639e2d42ed2e9f539aa

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlt:hDXWipuE+K3/SSHgxmlt

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Users\Admin\AppData\Local\Temp\DEM9769.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9769.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4912
              • C:\Users\Admin\AppData\Local\Temp\DEMED68.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMED68.exe"
                7⤵
                • Executes dropped EXE
                PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe

    Filesize

    16KB

    MD5

    30797d3a2af4c8b594e43b46ce1988b5

    SHA1

    5f17bed78ebb94d637f9c581d778012e36488781

    SHA256

    d6eba98d16c4a8f49c39a3458637005e9fc05c320b8d527bbabe6dc5b02032b4

    SHA512

    791022df155ae480ab99aa19d850e5829d4fbc2a5ba47fcd787da72ebea9049c9f03d43ea60b3274b9a63d0320326061562c3b0b831c5058984a3849199bb97c

  • C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe

    Filesize

    16KB

    MD5

    423661317e09618afb2b418d299109cd

    SHA1

    7ccfdfdfd184ae11bf2de78cfa13b51a26ec5976

    SHA256

    81c227564a9738120410d143ddfeae1b6db0b4158d04211f648a4166e17195a4

    SHA512

    762edcde38b1734b68e25a3e7212b21c2f5c98d81e07066dbc217fc1fc1d3ad81c1152b4d545da5e337a04ec6ee0dc32851d61813e3f493b2f2c932815723ac9

  • C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe

    Filesize

    16KB

    MD5

    a80d0339f841725ed8b556e919e48905

    SHA1

    a6566462edd4bde1d375bada3ec3bcf32b1b15fe

    SHA256

    2151b2e9df645337ab4c8902f9e2fdb0a7229f505f51dec9fe0da5f7b783b2be

    SHA512

    19d7df0832d5ab5f291a4e49ef8b0201b0e449a068a2d96f9ee993ee58d7011e9ae1fbd98d266f0533f5682eb140434dd8c7f3f542fe2538cb614befd27bd5fa

  • C:\Users\Admin\AppData\Local\Temp\DEM9769.exe

    Filesize

    16KB

    MD5

    b2da84814acd57aa747bf7c055281d55

    SHA1

    1ff86e35ceb0852a7543f7d53990800f4cee7fe2

    SHA256

    536ebe42bb1f1c03d88aef511149779781054af5f53cd00c58dd2c287bff1bdf

    SHA512

    2b4c42c290d59925691cb43048de41c3a1c3abd4f4bdc75356754abcbe5e52b6a40a18b4a1aa29b555aaa358d106d3d2e2f8ad7a0e9c480e5d19030aed52ce85

  • C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe

    Filesize

    16KB

    MD5

    df9703821e01786a6b526c28ac4d58d4

    SHA1

    73abce4352f53d4fe2dd0c13a7bdb1c1983b1418

    SHA256

    f3de19ac9cc2e09197ec0be007fc9ca064d02c0c4f4917464da3a5206f847c09

    SHA512

    1c25d63b283a3320fa91c7f458c53552317a2ffb4340a85ee9891206a5964f8a7ea1601c63fbaa5b29677d1cab5f4658d567fbef869929b1f9fa42e06e3cfb20

  • C:\Users\Admin\AppData\Local\Temp\DEMED68.exe

    Filesize

    16KB

    MD5

    f78aaf3de24892937e2b7594c3fde33c

    SHA1

    f5eae326cdd6dc8a2ba84797d4554ea53faa4dc1

    SHA256

    7a0395c7b5800793e4b7442715be57108ac60903253eb7bd4b2db31096c8d6d7

    SHA512

    61fca9d3cbf40f7ce180ba607f39ce7b679d81fb8dc72f949e0beb013ab81168cf39982a3773308a0935da9e94bb4d576df26a363304b4628cae0b4cdc5e1054