Overview

overview

10

Static

static

3

11f726e33a...18.exe

windows7-x64

10

11f726e33a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2024, 08:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    11f726e33a321d174abe26f2fc7ae76e_JaffaCakes118.exe

  • Size

    182KB

  • MD5

    11f726e33a321d174abe26f2fc7ae76e

  • SHA1

    2184c00fc04e483e58a1ac8f9d2ce648e1b0d416

  • SHA256

    f1c578b7fd3703dc7a6a91982ca85f314b6fa60b91532ae0e6ab6d5a344da8ab

  • SHA512

    50308ed596695f5aebf29557053d5f3933b86cc10763249199bfdbeb71d48ce045a09a3dd6baf326af29213c82724942b1552f336e957fb6e4e31f6f6c50b0ea

  • SSDEEP

    768:r/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLb:rRsvcdcQjosnvnZ6LQ1Eb

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11f726e33a321d174abe26f2fc7ae76e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\11f726e33a321d174abe26f2fc7ae76e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2636

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
            Filesize

            182KB

            MD5

            6c5a1038e95bf46d52054151647b4591

            SHA1

            60e2eeb4b462a5941a1cab1807f8329da1bf44ec

            SHA256

            1aca5a827dfba3da4189e72c79dc70c91bd55efffc30805c53d535bef1c5cc77

            SHA512

            a7f0e6f1883a497c51908690144f07327a23439d29195e5e806e7ca6f7a4e17f8f1454d37d0aa2b65ee7850eaa3fd830ee7f1f24a61aeaeefa913c709c7dee91

            Download Submit

          • memory/2412-11-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2748-0-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2748-12-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download