Overview

overview

7

Static

static

3

f02ca3d2ac...18.exe

windows7-x64

7

f02ca3d2ac...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f02ca3d2acd7864254d3378d1f679e17_JaffaCakes118.exe

  • Size

    43KB

  • MD5

    f02ca3d2acd7864254d3378d1f679e17

  • SHA1

    4161c393e6475c00e00f1fc114b758010258dd8f

  • SHA256

    e146ead17d215d5aa977de9341f3cae80eccd82b3b79089e987ad8142508abbe

  • SHA512

    ae42320c950a08783b5f9d12b7d7fb0fc2c275de9840e7a2a8c9a35d5067839fc35725fbef589e84e84213ee28520623b0388b1558392a0a9426a8994cd7b37d

  • SSDEEP

    768:Gnkx4yiUZKGrd69GMop72+CoTLhmzlofvABHzqtrZDchA:GoZ6GI+8Ofv2zqR8A

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\f02ca3d2acd7864254d3378d1f679e17_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f02ca3d2acd7864254d3378d1f679e17_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
          "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
      Filesize

      31KB

      MD5

      4aa497aaf034550c6cabe6ae52cec406

      SHA1

      a41754df5edb7a7779a61849acc012a6ade0c4bf

      SHA256

      e04922a5e52932171fd2a9a9555ca913d6d607398fd27b636937fc13fd0d41ad

      SHA512

      292a44e421f0a0464699b49fa15860a7cc6efaae456d57470a1ebe448275649541869563d70857d3c6bdbc22ba689753b224408e6a502ea427de6c5d4d4bff25

      Download Submit

    • memory/3016-9-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3016-11-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3016-16-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3016-17-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3408-12-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3408-13-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

      Filesize

      4KB

      Download