Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 12:09

General

  • Target

    d35381609a7837b54625620b260ceba0_JaffaCakes118.exe

  • Size

    580KB

  • MD5

    d35381609a7837b54625620b260ceba0

  • SHA1

    e2a849cd29fe4584fe183ec4a3d231b96c11510f

  • SHA256

    e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54

  • SHA512

    a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e

  • SSDEEP

    12288:Q4gzhRXZrOMlRYpl3U077HwPoTxqLWPiXjJ/whUFT:ehRXZr1ypl3p77QwTUki9/who

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Suspicious use of SetThreadContext 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:544
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:3316
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:1576
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:692
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:4448
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:1592
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:4032
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:2856
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:4628
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:396
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:1872
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:3960
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

    Filesize

    128B

    MD5

    a5dcc7c9c08af7dddd82be5b036a4416

    SHA1

    4f998ca1526d199e355ffb435bae111a2779b994

    SHA256

    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

    SHA512

    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

  • C:\Users\Admin\AppData\Local\Temp\ee50048c-b6eb-4ad3-b983-551cd617a0fd\AgileDotNetRT.dll

    Filesize

    136KB

    MD5

    9af5eb006bb0bab7f226272d82c896c7

    SHA1

    c2a5bb42a5f08f4dc821be374b700652262308f0

    SHA256

    77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

    SHA512

    7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

    Filesize

    580KB

    MD5

    d35381609a7837b54625620b260ceba0

    SHA1

    e2a849cd29fe4584fe183ec4a3d231b96c11510f

    SHA256

    e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54

    SHA512

    a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e

  • memory/396-123-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/544-36-0x0000000003060000-0x0000000003070000-memory.dmp

    Filesize

    64KB

  • memory/544-27-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/544-37-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/544-35-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/544-45-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/544-44-0x00000000722A0000-0x00000000722D7000-memory.dmp

    Filesize

    220KB

  • memory/544-41-0x00000000722A0000-0x00000000722D7000-memory.dmp

    Filesize

    220KB

  • memory/544-38-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/692-83-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/692-84-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/692-77-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/692-80-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/692-71-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/692-78-0x00000000029B0000-0x00000000029C0000-memory.dmp

    Filesize

    64KB

  • memory/1576-64-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1576-57-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/1576-59-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1576-61-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/1576-62-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/1576-65-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/1588-25-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1588-23-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1588-46-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1588-47-0x0000000000F50000-0x0000000000F60000-memory.dmp

    Filesize

    64KB

  • memory/1588-48-0x0000000000F50000-0x0000000000F60000-memory.dmp

    Filesize

    64KB

  • memory/1588-24-0x0000000000F50000-0x0000000000F60000-memory.dmp

    Filesize

    64KB

  • memory/1588-26-0x0000000000F50000-0x0000000000F60000-memory.dmp

    Filesize

    64KB

  • memory/1592-91-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/1592-98-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/1592-92-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-95-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/1592-97-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-0-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-2-0x00000000014F0000-0x0000000001500000-memory.dmp

    Filesize

    64KB

  • memory/1600-3-0x00000000014F0000-0x0000000001500000-memory.dmp

    Filesize

    64KB

  • memory/1600-1-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-20-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1872-130-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/2856-113-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/2856-111-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/2856-109-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/2856-110-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

    Filesize

    64KB

  • memory/3316-67-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3316-66-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/3316-56-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/3316-63-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/3316-60-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3316-58-0x0000000002D40000-0x0000000002D50000-memory.dmp

    Filesize

    64KB

  • memory/3316-52-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-39-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-42-0x00000000018D0000-0x00000000018E0000-memory.dmp

    Filesize

    64KB

  • memory/3752-15-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-16-0x00000000018D0000-0x00000000018E0000-memory.dmp

    Filesize

    64KB

  • memory/3752-19-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-21-0x00000000018D0000-0x00000000018E0000-memory.dmp

    Filesize

    64KB

  • memory/3752-40-0x00000000018D0000-0x00000000018E0000-memory.dmp

    Filesize

    64KB

  • memory/3960-140-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/4032-99-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/4032-94-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4032-96-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/4032-93-0x0000000002D30000-0x0000000002D40000-memory.dmp

    Filesize

    64KB

  • memory/4032-89-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/4032-87-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4032-100-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4448-82-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/4448-74-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/4448-72-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4448-76-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4448-75-0x0000000002860000-0x0000000002870000-memory.dmp

    Filesize

    64KB

  • memory/4448-79-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/4448-81-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4568-143-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB

  • memory/4628-104-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4628-106-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

    Filesize

    64KB

  • memory/4628-107-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4628-108-0x00000000722D0000-0x0000000072307000-memory.dmp

    Filesize

    220KB

  • memory/4628-105-0x0000000074190000-0x00000000741EB000-memory.dmp

    Filesize

    364KB