Overview

overview

10

Static

static

3

fe03c6cab7...18.exe

windows7-x64

10

fe03c6cab7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 00:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fe03c6cab7c4b5e09bcfdf7d4d7e87e0_JaffaCakes118.exe

  • Size

    272KB

  • MD5

    fe03c6cab7c4b5e09bcfdf7d4d7e87e0

  • SHA1

    067f68d7da560a99e22a6e6d6a3c65d6a594119d

  • SHA256

    100e85bf99938bbccf4a3b6fe44921fc41317e727fa3056a3e0b7c525e97bd6d

  • SHA512

    f3ff9e0e3254cae0e0ed2a4ba5a9c562906ec578af31a37a591e261db82d890121acd3bdd8a12ea524473876eb40b3a01d7607d9e3f998cd7bbac40c2f038642

  • SSDEEP

    6144:z3aAKlQxchRdjLmtrBuMrdekUH63u+X5sc57/k:m4xGLTuPL5g

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe03c6cab7c4b5e09bcfdf7d4d7e87e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe03c6cab7c4b5e09bcfdf7d4d7e87e0_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\juiuqom.exe
      "C:\Users\Admin\juiuqom.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3500

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\juiuqom.exe
          Filesize

          272KB

          MD5

          93c64a839ff2914729348261d2ea51ea

          SHA1

          3ced82ae7d30538c57b325089a926fccfc0ab05b

          SHA256

          85d561eb87347bc13d9f0ce1f45416f807a65b4cf46176d2a52ec8b6c178fbb9

          SHA512

          0d688b4571de0a571c5db9d3ec21ff7cbca873303a3c5f8aaa055899d0406e158ca0c5ef07892062c8b371415901c59f9f335299db3f5baab95b5480151aeabf

          Download Submit