Overview

overview

7

Static

static

3

29fe2c949b...18.exe

windows7-x64

7

29fe2c949b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29fe2c949b974249d80eb4bef2cddebc_JaffaCakes118.exe

  • Size

    7.9MB

  • MD5

    29fe2c949b974249d80eb4bef2cddebc

  • SHA1

    d4bdbbc3a9f0cc9a01ea05019532a064f12653ca

  • SHA256

    151274aeb9c0cc6a0f441c7a42f4ab5c2b58574989e499deabba4cdf35961543

  • SHA512

    f0893fe54b2d1f23e8d135bb0a1e0dfe7d6e8d5665780ba56c87768a51d46ab8aeea7bd96656bc1acca9dcc20be4b58078cc98ab8ff80a837adc14df4f19d99f

  • SSDEEP

    196608:8Lazg7DSmLazg7DSmLazg7DSmLazg7DSN:rg7uRg7uRg7uRg7uN

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29fe2c949b974249d80eb4bef2cddebc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\29fe2c949b974249d80eb4bef2cddebc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:2088
    • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3024
    • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    Filesize

    7.9MB

    MD5

    1009506de9030a123d108ed7a00252e2

    SHA1

    0596ec4865c65b7cadcb11577f98c11046d54f0f

    SHA256

    b346dc6fac9073558c4403f74f00259dfeec6c3466a9747c6cb81fb3dd438fc2

    SHA512

    7b432b10f08bdfc21af4375b470a3028ddb65dd8b92f805a26955b6962ce191e171642348191dea3cf6ad34c868f07b208484b5dd4e2cab2145b48c8add42d9d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
    Filesize

    1.0MB

    MD5

    a2f259ceb892d3b0d1d121997c8927e3

    SHA1

    6e0a7239822b8d365d690a314f231286355f6cc6

    SHA256

    ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

    SHA512

    5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

    Download Submit

  • memory/2200-24-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2200-11-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2200-1-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2200-0-0x00000000023A0000-0x00000000023A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-45-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-34-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3024-42-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3024-40-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-39-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3024-36-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3024-32-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4464-35-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4464-31-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4464-29-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4464-12-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-30-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

    Download

  • memory/4504-38-0x00000000022B0000-0x00000000022B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-28-0x00000000022D0000-0x00000000022D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-25-0x00000000022B0000-0x00000000022B1000-memory.dmp

    Filesize

    4KB

    Download