Overview

overview

10

Static

static

3

08d701fea2...18.exe

windows7-x64

7

08d701fea2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08d701fea25937c46ab1af409e3f22d4_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    08d701fea25937c46ab1af409e3f22d4

  • SHA1

    9d09842741ef59901ca4855610569e08024f8605

  • SHA256

    326cfbda2969b2ab9c6f72480aa443cce112482bd1d5e354cb8c572fa9817d03

  • SHA512

    5e8ba97bdf5603ce47a4786646b12f0d81d4aa314f1762d6d4b71e7ead22e6c010964eb84f78a9ad3901ad26fdca697e890b1d252c23aa27c103f2e4383ab45e

  • SSDEEP

    768:G/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLx:GRsvcdcQjosnvnZ6LQ1Ex

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d701fea25937c46ab1af409e3f22d4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08d701fea25937c46ab1af409e3f22d4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    156KB

    MD5

    5ac3798dbda70ab463ae9ad6f378f613

    SHA1

    a48bd0ed8817b09d2c1027499899b9bf240b3c8f

    SHA256

    8a2860c7960c506031230d113b8eee240657114e8b94dc432ce2e38cdfd7a3e8

    SHA512

    74c61b3d2474fdf8467658cbc8c215244a0ab10ad47bfd7c2c38e5ede95d141ba8d6b9971abbd1ec95eea25f9e1dd7b7a68064443fc5ebc7b87dfb7fb9232fde

    Download Submit

  • memory/2300-12-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4996-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4996-11-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download