Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20/04/2024, 15:48
General
-
Target
fd1c1fc717004317f6e40b7d87be87c1_JaffaCakes118.exe
-
Size
29KB
-
MD5
fd1c1fc717004317f6e40b7d87be87c1
-
SHA1
aa89d7bcdca4afb9e814da28e2ca6ce2c582f622
-
SHA256
e3b1d1f8ed6019d2e75ace44ea3de460a5707b39db65aec34891f48d623508e3
-
SHA512
17fe13f1977734d7bc37aa7bcf5577bfaf727551163f2a0bb53a0c46f5054e9aa31b869c6ce9953d6702bebc0e414d487d6d0bfaad4bad8293920853c881c850
-
SSDEEP
768:Gsb8bXSSHJ6IdV+zP46Ta4WmgqPagF+y2/erHT9f3e+Y:L8bXSSpfdVkA6TaxVOagAy2WbT1Q
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 23 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd1c1fc717004317f6e40b7d87be87c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd1c1fc717004317f6e40b7d87be87c1_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\dfDelmlljy.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD5741566d74a82afcb7581a328a06ff31f
SHA1ff5d6b51a3afa6b8dc2a35302ff9a5a351600c51
SHA2569e2e9b6bffc82b675f8c86f974c03e8dd7e1683d7dcbb45d87e8f98828890947
SHA5123a5d68c221fe2d6d012d66b3d61a82efdcd43cb8524584701d144a9a8491b537d5a6f46b0151a0e40de1c4eb547796a08da3f8098f499413425b7998c83ce431
-
Filesize
233B
MD59431d6f60b1fcd93172d3b49d8cc39cf
SHA1c4c50d4b344175782d52fe46c34fd83ff51d8b96
SHA256d3a0f857b6b422bdfd119c49141e432b61f9fc51aaa6dc3019ba29a34b2fa86f
SHA512c7ed31ea8ca13b6ef390ddb8b9d910f34502645c938074063cefa444f75a28f94d91e084c4948cad87a9ffe62752cfb407c638533815d6bfb365d129c1afaf5d