Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 17:28

General

  • Target

    303a993d39cc64830e10adf510035a85_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    303a993d39cc64830e10adf510035a85

  • SHA1

    77ec88d8d7eae3039bdb61c64c8cc93c26a2a29b

  • SHA256

    92837af4aa06b8c51b611bf7796c6f563507765ab74e1d3e7168445d07e16cb4

  • SHA512

    7917e71cece59dc8d03603a8fcb97fdea2b6247087b24fcf5a8e94757231e9ec0eada6193c7c2057258de1d9a4936eb5aca2d8efdf84edfbac33543e5e4cd031

  • SSDEEP

    24576:h1OYdaOkqU2Uzf5SilCfBJy5WShlDBXEZc78KU88SSThr/jzcT:h1OsyqBI5SilCfKhhvqThr/PM

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\303a993d39cc64830e10adf510035a85_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\303a993d39cc64830e10adf510035a85_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\TslEN8M1Vdw6Q8k.exe
      .\TslEN8M1Vdw6Q8k.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Users\Admin\AppData\Local\Temp\ELYYGC.tmp\TslEN8M1Vdw6Q8k.exe
        "C:\Users\Admin\AppData\Local\Temp\ELYYGC.tmp\TslEN8M1Vdw6Q8k.exe" target ".\" bits downExt
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /u /s ".\\Ui1W50ZMfJxLMs.x64.dll"
          4⤵
            PID:3384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\bootstrap.js

      Filesize

      2KB

      MD5

      df13f711e20e9c80171846d4f2f7ae06

      SHA1

      56d29cda58427efe0e21d3880d39eb1b0ef60bee

      SHA256

      6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

      SHA512

      6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\chrome.manifest

      Filesize

      35B

      MD5

      0fa84815f4a89528ea1aca5df9ba9095

      SHA1

      8dac2fe6e174899dda89bca38ae9764dba967267

      SHA256

      6a522d3f932644f62b246bf2a39f9fd042a858bf1fa2aa8e34ddce2081f47dc2

      SHA512

      922e8b23636beb4b405b861a7c488170717d9fbd748ef2c40184e5ac72a82342fb2da4401cefac1f285e652e6ef8dbcd939de0f75cb31b67f094ca9ac7dff5e6

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\content\bg.js

      Filesize

      8KB

      MD5

      36dfb13a7cd98dd5b245fdc3e5e5c987

      SHA1

      ebd176ace165f912232bfedeb0c68c154348f8f5

      SHA256

      103b0253870cdd413705df2fad0aef340917e3124b8428d3706be45648ad06c6

      SHA512

      725d1b015a1fe998f5ad0b5f705fc99ae0fffc06f990036454b7e6f93b1ee49aa7228681a5b3fef42531f497a6a0d6d99a880f60eae6a17aeafd89a61ba8c953

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\install.rdf

      Filesize

      595B

      MD5

      19eec5a5652828d6f3397778dd1cff57

      SHA1

      607502980cc89688d26cf3dec96ec355d4d479cb

      SHA256

      c70978158922767f48161b5292c0250080b78227a92ccc093af5da1be7bdc355

      SHA512

      c5788a0a1fd93009fd1ea6afbf1353f170cdf1efad4ab98a8e790ab2c1ba95e1495f30a28f93cdfe589cbe0834d1f852e63b3662bcb99d6e3dbc148bbb99700a

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\TslEN8M1Vdw6Q8k.exe

      Filesize

      218KB

      MD5

      9f6c52eec607111136cd222b02bf0530

      SHA1

      57f3815d0942e3b0a9bef621a7b4971f55fc74d7

      SHA256

      7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

      SHA512

      6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\Ui1W50ZMfJxLMs.dll

      Filesize

      863KB

      MD5

      121e25780259b7eb047221be2ab61c48

      SHA1

      e8770368366d8730aed0639c19db308c4c07c1c4

      SHA256

      76880b882cccfcca404422534a96325f03b6bcf2f3043dc9590511121afcc9cf

      SHA512

      516809f49441be91ca39c08c8af628716f2774cc21f3a1852097fa8c3cc16809f8e35079303b4a97f42aa23fce6908eda6c862a58577b36d97f3c2371062d9bc

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\Ui1W50ZMfJxLMs.tlb

      Filesize

      5KB

      MD5

      1ca45b386c7b01e1bd45ef4e291d3f70

      SHA1

      dcabb955bc45b182231459d7e64cba59592c907e

      SHA256

      495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

      SHA512

      87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\Ui1W50ZMfJxLMs.x64.dll

      Filesize

      945KB

      MD5

      58a22b0e91eeabbb39a6f5bc29b66be2

      SHA1

      aabe842732fcb00700b345c807ac6f11678de751

      SHA256

      bd38583ee41b71624a8d8857f78a9d792ad079e348348180ee610c5cc2f3faa9

      SHA512

      4d38872990c832a82086b70d770bb9250d567d900bd3478d7ec2302a46265a639047acb6c3ee7d4002010bfb8190ef41b98ab55011c67b60ba586cdb3cdef2c0

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\iiekjlpbplcoaboceghijghjhmpeakda\EPLhqsrgA.js

      Filesize

      6KB

      MD5

      407b1509df61a7f645b91ddb8d843e11

      SHA1

      1cb4cd6bf477f069035108e930e7cb949c83c78b

      SHA256

      99037da11e5da8e5f632d7d2f4ec4646a3fda6b9d040b75a5dc42f8fe58056da

      SHA512

      7e9a9ff4b1499b027c156b997920ee7b88a51798934ef8be1a7e7a7a40d1c0647b06cee6e5beef2093b75bbf720e7e826892c33da2a93ae3bbd64348819475d4

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\iiekjlpbplcoaboceghijghjhmpeakda\background.html

      Filesize

      146B

      MD5

      256c1e15d3a70d8cd921515996d4553c

      SHA1

      62ac229130000b685a83d9d71d52efb49f54fc4e

      SHA256

      1887568fc30d93b40118ab21410d920b48946abcbcbb15d36f38b7146ea90e7e

      SHA512

      02fbd6da5acb71b8cc74b8949f2356da99b73b699c0225dd7fbc5a519ec1dcd4454f04d98073855646a83040b22354095dcee27fe3496fb61d21117e84a204ca

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\iiekjlpbplcoaboceghijghjhmpeakda\content.js

      Filesize

      144B

      MD5

      fca19198fd8af21016a8b1dec7980002

      SHA1

      fd01a47d14004e17a625efe66cc46a06c786cf40

      SHA256

      332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

      SHA512

      60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\iiekjlpbplcoaboceghijghjhmpeakda\lsdb.js

      Filesize

      531B

      MD5

      36d98318ab2b3b2585a30984db328afb

      SHA1

      f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

      SHA256

      ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

      SHA512

      6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

    • C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\iiekjlpbplcoaboceghijghjhmpeakda\manifest.json

      Filesize

      499B

      MD5

      496a36783c9e4e278bf3c1597a2eb77d

      SHA1

      76d6170cb8d01a472862eb5281c78bad8ca014d2

      SHA256

      d384fc88a99a436cc3c2a1e91619db1bc413c85eb3b6555172f65707c103b6a4

      SHA512

      7be546a221e05d56f4c74d88d0789967149a87e282d6380fe792c3f960e402caf4909c4c2b0940d933914ff3658b606834953f9b349d5143bcb1791fc27f98d8

    • C:\Users\Admin\AppData\Local\Temp\ELYYGC.tmp\TslEN8M1Vdw6Q8k.dat

      Filesize

      14KB

      MD5

      94d5249ebfcddc85e888f94717af5eb8

      SHA1

      50b8793b44598e52443ae3167af4e278e19f81bd

      SHA256

      b953b6dabb8767be0a0ba0b441e8d4e3be7f57bc12fa33345158b154d7fd670a

      SHA512

      9b4adf19bae8474ea1a12ef4716121cb67b54e5536c8747e0070a57d3431bb4096dd9c30fff2e546388bcb7240f5736c4f12b4d78ca0e234c2a7b5640521e321