Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29-03-2024 20:22
General
-
Target
2bf8b80d12f72c06d8566797f1829d70_JaffaCakes118.exe
-
Size
224KB
-
MD5
2bf8b80d12f72c06d8566797f1829d70
-
SHA1
37d029aad8531adeeea53cd3a549390c3a913627
-
SHA256
81b6fe197e9493963fd3e66ebae93ee92f586bd9bd8fa275e3ea0e0723975dd2
-
SHA512
7579eed96a37747a8b97791b83f1efd410f19d52be0e00a62165ba8c437842c03af63f47fe34a220daaddaa7d0bf42122820da3b16c850e31b49996c2ff0086c
-
SSDEEP
3072:q8aQs4BSCpikIp8PwzjdIC0fyEixcHw2m45UpXMhv8XWaOKHmv1z0oo0KXDDlxG3:qTDOHnSP9IRfypSsX500oHKXXG+PZMx
Score
10/10
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bf8b80d12f72c06d8566797f1829d70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2bf8b80d12f72c06d8566797f1829d70_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\2bf8b80d12f72c06d8566797f1829d70_JaffaCakes118.exe2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB