Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 11:59

General

  • Target

    f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    f100cd2739e4bb6002798c428d73c83c

  • SHA1

    99b9fe26a5604347532f95523cbd6791abc4c520

  • SHA256

    3fc7be74c396fcb970bd6b3504b55ec1bccce50ab0c0b3973513f43d283d0e20

  • SHA512

    303fb39399b2e37ca81f2a987be2d311aae40db8976b6929e13ab6a2e0d3c70f09ce413867cd36620fc37bbb88609546f25558f59f808dbe6ebbf4e6770f9957

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNL:hDXWipuE+K3/SSHgxmLN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Users\Admin\AppData\Local\Temp\DEM3691.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3691.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Users\Admin\AppData\Local\Temp\DEME30D.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME30D.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:840
          • C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4892
              • C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe"
                7⤵
                • Executes dropped EXE
                PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3691.exe

    Filesize

    15KB

    MD5

    54dabb73e7b9d86179b59c521cefe128

    SHA1

    e5d0bd5a7fd3c592ef11d3c3bac071e5d2d223bd

    SHA256

    3a57c597f830d1001a8680c382192c8c2b912fdc1da053a6f7f68163299e28dd

    SHA512

    748e3465300c23995cf1665b4bd7d03582298f21de43166988fde9b665397992b1e6c79a538f44bd1b6bf2e0e2cde3b59a33c73d38cf2eb539dc7eebbbe35268

  • C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe

    Filesize

    15KB

    MD5

    96f880d195a5ab33ec7459cd20921e96

    SHA1

    ea16fa495f9bbdee78587e0c47b743ce6a359753

    SHA256

    0be35c47e1a6d00896006a5debc690796ba9ebba38ce10b1dfdc499b3abf6a12

    SHA512

    814d821b1812cef2fda507a40170434bd915bf2d65a92a36b11133dab2ed236841d53a5fbe109cc2fff9abc256cb639f876284737173d5dbc7e584117297b4ff

  • C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe

    Filesize

    15KB

    MD5

    51fded03ac17e1f1013eecc221a625b0

    SHA1

    658558c7fc374d1ace86dbaf08e9959ff3937524

    SHA256

    21c0d4298b26e9dbcfc8fe1910262d2605f104e5ac9c13fb087278b84371f0e9

    SHA512

    906284cfb620662ae35aa72ada68a2af84f13dfbc138fa711c441053657cb3ea13542ae52e6ed9c1715b33f20e6f60364353deb8dc1d4d692953969f99fe4cb5

  • C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe

    Filesize

    15KB

    MD5

    cc6a18a328254e90597308f5493d02bf

    SHA1

    87ebb94497738a5341316af1ee15bf431ebb68fb

    SHA256

    ec72a8af2a762c02efe891c27ad4961ce0f3648a91a7f9be1e642df4b340ba7b

    SHA512

    3e7dbee9dd0cf600d215ab8557e1c5971e49175dc9cdb4fdb19ba0c04e9e35f2ea20a512b9f92ef13458861686870532645ebd26e1120e9e3cabf15613b1e37b

  • C:\Users\Admin\AppData\Local\Temp\DEME30D.exe

    Filesize

    15KB

    MD5

    b9b7b5e35ac83e40be03156a38b5268f

    SHA1

    3fdeea8bdad58c6ff175ad207ec1dfa5d204e3ec

    SHA256

    a5afbc42edae67730dcc4f6a2158d650bffd627ede93e50df31e4fa301e0371e

    SHA512

    e93516ffc9a6a014495d322a7c2669663454622d6d234661e8cca853ce7423cc345216fd7ba666c04d86e62c91c01210b79cff99a3134e385002fabc4a00acdd

  • C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe

    Filesize

    15KB

    MD5

    0eba49651176497a384cc0590417f7ff

    SHA1

    a872292c4ab8c6919e4168d0712f4daa04b69904

    SHA256

    9c46d68b967b8854c1d2ef43ca6b9dd16fb8695cd0fd3ded2c1853e1b1b5c105

    SHA512

    9fc67021f1b3a99db23eeaaf1df69cbdaf90cbbfa401fe8401c088da94e22e2162c9eb37b7506e8670e125c44031c697f5f414084658b65b70b86a329c445816