Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 17:48

General

  • Target

    6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe

  • Size

    10.0MB

  • MD5

    6431b5da2c1026b2d8d33a1f7a417c60

  • SHA1

    498c6e56c9efdfddfb69021dcf8b275a801c044f

  • SHA256

    b59983894a4c71759a2af3a36f4a036163e7bc078ff8858ad219dccc2684cae0

  • SHA512

    8751909a49a221e0093fc342545e9c90ac002cea1efaf883dfbb335762fd88a623dd6377f9bf37eddfe139f1190e5e5769f02963f11f432406f0c63602579014

  • SSDEEP

    196608:FugUqSyFz9MxsRWjnp/4b6cJbRWSRCGHlD4N6aLnWXsCHEsjFsCZzy:EqSyLpQrVkJHxRCGF2j2sCQ

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM rundll.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM rundll.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM rundll.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3392
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM rundll.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4568
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM rundll.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM ss.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM ss.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM ss.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3932
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM ss.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Eternalblue-2.2.0.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:728
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Doublepulsar-1.3.1.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "ss.exe TCP 10.127.1.15/14 445 200 /save"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
            ss.exe TCP 10.127.1.15/14 445 200 /save
            5⤵
            • Executes dropped EXE
            PID:4860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.txt

    Filesize

    174B

    MD5

    2856a910cf4a661e70a0330a998c9aaf

    SHA1

    4ae3b22d803c2437884b91707b2735f05d844f0b

    SHA256

    90ce5006f1052397566a00c16726f2eb49520d7ea445323178d8a46ca2d41588

    SHA512

    ac2bf6655ae57771cb2d9c43556dc91a6f1be871cdeca5535cb5ef83891b04bf79a0420631849ac938cb517a6c9ac93db4c026c879903a50e8a9e8771f7986fb

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe

    Filesize

    6.4MB

    MD5

    90599351500a732b05756c8a5944f4c1

    SHA1

    9628b582614970f9b14c8408171f2ffdc1cb086c

    SHA256

    5b222f52c27375a6ca9342a6f1483b46101c5c3dbd82b453cb046a6109e5a48f

    SHA512

    442010ff04bfbe92c55472898efb447e3c4a969fc270df909f70164a5c477b3c33147c271d963a82652a7690493e995dd63bcac997f511aec139be2172de2ae9

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

    Filesize

    14KB

    MD5

    c097fd043d3cbabcada0878505c7afa5

    SHA1

    966a60028a3a24268c049ffadbe1a07b83de24ce

    SHA256

    1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

    SHA512

    0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

  • C:\Users\Admin\AppData\Local\Temp\_MEI32082\_cffi_backend.pyd

    Filesize

    127KB

    MD5

    ea1f67ca4005dea3a9a9a831bada6fcc

    SHA1

    d568b9d8d98fbeb8ef41a742e4f2787178502cce

    SHA256

    8a13b0e4f0cabe636cccbb41cbecd0266dae870ffa23a5ec19a99105c2849f25

    SHA512

    00b62220781d67e32b902b46930f01134fd06972d04fcec3f74a40af123d80c8c9f89b0171a26f7d561416f5b2451f0dc0782beacd6474da6dc225169c10dd6a

  • C:\Users\Admin\AppData\Local\Temp\_MEI32082\_hashlib.pyd

    Filesize

    993KB

    MD5

    24c2f70ff5c6eaddb995f2cbb4bc4890

    SHA1

    c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

    SHA256

    8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

    SHA512

    d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

  • C:\Users\Admin\AppData\Local\Temp\_MEI32082\python27.dll

    Filesize

    2.5MB

    MD5

    985cbbc088b7cd7039ab2fdef7df3b7b

    SHA1

    7d1c58122f6952671dd4368a231cd4eefc14f973

    SHA256

    65a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40

    SHA512

    1f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974

  • C:\Users\Admin\AppData\Local\Temp\_MEI32082\rundll2.exe.manifest

    Filesize

    1KB

    MD5

    d64d2393217a9edb0b88cce264ac58d5

    SHA1

    b6bee67b8acecbdfefc3469ece2e7c923738503f

    SHA256

    640c93fdfd11ae88d39b79dd2d2a30070cea8a7bb68972c61ab820e5e5bce7e0

    SHA512

    765ea81a77421b5c08d0dc7ab60405ac2482d9d45e466ef3a56203f47916548e5c5f84297275002b08e35254ed0c6dd7b9116c50a252c15d12796de3fe2fae16

  • C:\Users\Admin\AppData\Local\Temp\_MEI32082\unicodedata.pyd

    Filesize

    671KB

    MD5

    cfa3517e25c37e808af38fbeaf7f456e

    SHA1

    63d4c4317675b3456d48feab390355c6dc3c37f9

    SHA256

    061926aeaaf4f7e0212552cd4bb5d6af0e8607ec77f6eb836b6612ab86645ac9

    SHA512

    e4b3cf3e2e9a4d1f48ba8760c68dbfa9304159381115eb21d0c1552428f793e2b091a744f3578b5cbf005fd2abe62f43eaf1664a8f346de35e22d5499f036674

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\_ctypes.pyd

    Filesize

    89KB

    MD5

    f1134b690b2dc0e6aa0f31be1ed9b05f

    SHA1

    9c27067c0070b9d9366da78c3d241b01ba1fa4ee

    SHA256

    030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

    SHA512

    7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\_socket.pyd

    Filesize

    45KB

    MD5

    a9cc2ff4f9cb6f6f297c598e9f541564

    SHA1

    e38159f04683f0e1ed22baba0e7dcc5a9bc09172

    SHA256

    36a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f

    SHA512

    9d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\_ssl.pyd

    Filesize

    1.3MB

    MD5

    d0e36d53cbcea2ac559fec2c596f5b06

    SHA1

    8abe0c059ef3403d067a49cf8abcb883c7f113ec

    SHA256

    ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9

    SHA512

    6cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\cryptography.hazmat.bindings._constant_time.pyd

    Filesize

    7KB

    MD5

    0c82aa0fd6e056b28b4b60b44a59cbfd

    SHA1

    164bdd548b54212313e4f41856e35005b5546fbc

    SHA256

    4e2476c24f65c9fcbfbd1281569ebbf95f69e10f54b1209d9b5487e75b421e0a

    SHA512

    c193be5c309c6f2b48b0fe8938dbdf5052e8d45ebf94d4e887f04fd0ae5309b2b75f3144683ce967cbfcd7bd71b1c2fcf3319f883ee344461af9b94f81306326

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\cryptography.hazmat.bindings._openssl.pyd

    Filesize

    2.2MB

    MD5

    59f5348ae2d4632bc8fd9ed9315763ce

    SHA1

    18fea9141966aac2fe7a57efcdce0e050b680833

    SHA256

    1d52effeccbac2789ed9a599cf040d4c68e1636319cec3c3e3fd59d16c5aab2e

    SHA512

    47df338b3165e359118489e7badb0b292a9305f1914599df15d655edfab02c8c366fa865746c360fe93e52c2ff92a35ab3a251f2abcd8683b1e2dd55a79697eb

  • C:\Users\Admin\AppData\Local\Temp\_MEI32~1\select.pyd

    Filesize

    10KB

    MD5

    bdc7b944b9319f9708af1949b42bae4b

    SHA1

    e88c7b522f64b01b442ffb23f2c5c8656033b22c

    SHA256

    83b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472

    SHA512

    df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f

  • memory/4860-186-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB