Overview

overview

10

Static

static

3

3f1316ad92...18.exe

windows7-x64

7

3f1316ad92...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 09:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3f1316ad9200e45736fe70d67b7fee1f_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    3f1316ad9200e45736fe70d67b7fee1f

  • SHA1

    025267abf944c91617d9df79e3e45a1e6c573d55

  • SHA256

    3a34dbbcb4ca6059c2b066b8d31494f3847fa02809a377a4f6cf5d5efa1de832

  • SHA512

    838f3b8b0059939a62d8816ed467d8aa17e12dda1e4a8347b0bcc785e42932c01d6861587ad216884600eec6b3b70a689d7d6f1fa3a78fb9b5a28c26f605fbf7

  • SSDEEP

    768:zIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77NPQ1TTGfGYy6KT:zI0OGrOy6NvSpMZVQ1JQKT

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f1316ad9200e45736fe70d67b7fee1f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f1316ad9200e45736fe70d67b7fee1f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3644

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
          Filesize

          45KB

          MD5

          5c56cadda5d6cb5ede7c45364b17d7dd

          SHA1

          898a47887a4c2c0f01580bf0a3219146e2e2801d

          SHA256

          ac3311c1d950c1b10d5d5159c14e25e0541ee95a3f797a736e68f77fc4d420e8

          SHA512

          23eca2a9788eed786e6b00916d578a9ec932a6c28029b645870de3f1b9434620231ef406ec4854bb70251d20fd0cb7e0f9d3ac95cb91945a69890befca1ab186

          Download Submit

        • memory/1352-0-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1352-10-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/3644-12-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/3644-18-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/3644-19-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download