Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 20:01
General
-
Target
6871259455c9585fee78d1344822d12e_JaffaCakes118.exe
-
Size
140KB
-
MD5
6871259455c9585fee78d1344822d12e
-
SHA1
36587c4018ca62f3d6e01327cb107d3c93cbd8fe
-
SHA256
770e13861e7e1715dcf73d475c44561dd1fb2d73f44755d9fe908ead3be0cd7b
-
SHA512
bf32dffbefa5cc8dded4f6cdb850fed86367e596e3c23068745090ad3355c2065b8a963b14bab4284336602334cd6e212558de7b38420d454396a696090a714d
-
SSDEEP
1536:osTWDDkqee7SfZBTHCmUs+ILgJbVIQYf7g45ABm5iyKLYkhl6S78XCO3Kvn9vDJ7:PWfkqeII775ABmY4E8X0D1RCsc6I8D
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6871259455c9585fee78d1344822d12e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6871259455c9585fee78d1344822d12e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\schovt.exe"C:\windows\system32\schovt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\windows\lsass.exe"C:\windows\lsass.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452B
MD5055580f9826540b05327daa15f2deb1d
SHA1401361ced0387b624158f4531d7b42713a6741a3
SHA2561d858e8be14ab8b5c41b5cbd592293247df08e9c8d2041d55cca2d00270dcc91
SHA51255154f8d83835529129f90820d09f93cbd6d7de90ebb6feeaf65b07ce6a6a9f6ea047b7b6db344f86fe3f92c4324a8a6191e5a01d21caf2363df69f673dadac5
-
Filesize
140KB
MD56871259455c9585fee78d1344822d12e
SHA136587c4018ca62f3d6e01327cb107d3c93cbd8fe
SHA256770e13861e7e1715dcf73d475c44561dd1fb2d73f44755d9fe908ead3be0cd7b
SHA512bf32dffbefa5cc8dded4f6cdb850fed86367e596e3c23068745090ad3355c2065b8a963b14bab4284336602334cd6e212558de7b38420d454396a696090a714d
-
Filesize
144KB