Overview

overview

7

Static

static

3

fddbef5c7c...18.exe

windows7-x64

7

fddbef5c7c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 23:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fddbef5c7c8bb288a1757a14ceb0e208_JaffaCakes118.exe

  • Size

    581KB

  • MD5

    fddbef5c7c8bb288a1757a14ceb0e208

  • SHA1

    c611e06afe10e7c89ef8fe382988143670637005

  • SHA256

    8f99d3144f11c3acc3a648937dfd11c6564e5688d90613f1634e9f7c0d1124fd

  • SHA512

    a07553c7368dcb641c0f9b3a763cc9aaf149c0990e8cb87cf10ea781989c58d7bbc23748d946a9cb083f31b144cefed9bdb0ce87d8715eb929c5c77c2525d5c8

  • SSDEEP

    12288:uoMDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0Uy:ufplNFgxG5eZngb0R

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fddbef5c7c8bb288a1757a14ceb0e208_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fddbef5c7c8bb288a1757a14ceb0e208_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3552 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3960
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
        3⤵
          PID:4164
      • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
        C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"
          3⤵
            PID:4888
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\1.vbs"
            3⤵
              PID:5056
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1388

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  b1537a27ac0200c7fc0b7a857fabd617

                  SHA1

                  aabe8a42992e616fa04c8921a5d0fb05c935bd75

                  SHA256

                  4c9ee2fbaee2cb91b53a8d85cee47899ea2ff8b1523d31fd1d16a4d56c911205

                  SHA512

                  870979838bcd45fa7e4ad827e9019f61b1c608c61f7c28fdd7d7ee55b53d6d953385e27ada6cc8950071060d65de803a2f5905a98bc785b4884b70dd7ce59075

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  b8b19376372748f274e7f8d219f99c58

                  SHA1

                  caa93a69caa941040643ee58f64685dee85ae657

                  SHA256

                  d8eaebf83027478af29a323052a69aec94395d491d53eceb2d1ff5d31d7892e4

                  SHA512

                  9a54c782f7ec14fe321ac497b9ef321c14332c651efd4a702f3e2bfd79cf26edd132f1b2b28c94e6832527bc600bc1bcb83be81262e400a09b09ba773327b770

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
                  Filesize

                  467KB

                  MD5

                  74869a0346ab36bbba85022612505121

                  SHA1

                  2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

                  SHA256

                  6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

                  SHA512

                  723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
                  Filesize

                  52KB

                  MD5

                  c4ddf11ebdbf9d8397d710d2cb4e2fab

                  SHA1

                  8008c97e7d6ff92deb3e1755a614f4afedca92b9

                  SHA256

                  67a632049e45c25de35b533659624ca24f8e70447abca015bf5776ce6cb3ded6

                  SHA512

                  3c9be7b92208e8c0f57ab8048108714e06b2aa896a479f61637a93a9eacb4818fcb25ce3d4e1a24086558daeae65d4b482b2c1cfba3df202c396e2bc218362e9

                  Download Submit

                • C:\newsetup.vbs
                  Filesize

                  651B

                  MD5

                  4736e7158c27f244482f5a614b9dbdae

                  SHA1

                  d3a0e95a81e9e3ec95cfd596b25749a0e24e27b9

                  SHA256

                  b8229bc8d6b0013858fb9599cb510afa4566a439164b2c7444c449540a124acc

                  SHA512

                  cebf895dd3ec3822c42b78bac49c685b063cb5afcbcfb3850b073cb118d086c5fa75ec50b6e73d90e14f2c6b595752ad87910b8cf27378424d72a9ea309bf824

                  Download Submit

                • memory/4292-14-0x0000000000400000-0x0000000000497000-memory.dmp

                  Filesize

                  604KB

                  Download

                • memory/4776-4-0x0000000000400000-0x000000000048A000-memory.dmp

                  Filesize

                  552KB

                  Download

                • memory/4776-5-0x00000000001C0000-0x00000000001C2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4776-8-0x0000000000400000-0x000000000048A000-memory.dmp

                  Filesize

                  552KB

                  Download