Overview

overview

7

Static

static

1

807b6499b9...18.exe

windows7-x64

3

807b6499b9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 10:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    807b6499b9404ccddccbb1a9759ba0d1_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    807b6499b9404ccddccbb1a9759ba0d1

  • SHA1

    54ba6485b9b8d07f0f56a8f80ae675f8780690d3

  • SHA256

    8a5124074d1ca7c2b367e7933f4414c533b9d6a0a2efac7451ba16c1d6edcda3

  • SHA512

    ddc22db85a6e3a762cadef255748ab2a2eda8442871784647e59d2bd6d1c9a3ced2a55cb6303c4789c81d7f8d40b5235474059dae3d6e02deabc7fae84c0c998

  • SSDEEP

    98304:QezcG8SpcFWzuRU7rLteil6ENje140DX/9JEk:dnrpjCRU7FXd0j8k

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\807b6499b9404ccddccbb1a9759ba0d1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\807b6499b9404ccddccbb1a9759ba0d1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83212808-6419-48EC-8C75-1F3B050415EB\setup.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\reg.exe
        REG QUERY HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe
        3⤵
          PID:1420
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /f
          3⤵
            PID:532
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontFamily /t REG_DWORD /d 54 /f
            3⤵
              PID:1396
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontSize /t REG_DWORD /d 917504 /f
              3⤵
                PID:3696
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontWeight /t REG_DWORD /d 400 /f
                3⤵
                  PID:992
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FaceName /t REG_SZ /d "Lucida Console" /f
                  3⤵
                    PID:4856
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83212808-6419-48EC-8C75-1F3B050415EB\cleanup.cmd" "
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4952
                  • C:\Windows\SysWOW64\reg.exe
                    REG DELETE HKCU\Console\%SystemRoot%_system32_cmd.exe /f
                    3⤵
                    • Modifies registry key
                    PID:4840
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c "REG QUERY "HKCU\Control Panel\International" /v sLanguage 2>nul"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:964
                    • C:\Windows\SysWOW64\reg.exe
                      REG QUERY "HKCU\Control Panel\International" /v sLanguage
                      4⤵
                        PID:724
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" VER "
                      3⤵
                        PID:3252
                      • C:\Windows\SysWOW64\find.exe
                        FIND "5.1"
                        3⤵
                          PID:3112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" VER "
                          3⤵
                            PID:2232
                          • C:\Windows\SysWOW64\find.exe
                            FIND "5.2"
                            3⤵
                              PID:2072
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" VER "
                              3⤵
                                PID:2304
                              • C:\Windows\SysWOW64\find.exe
                                FIND "6.0"
                                3⤵
                                  PID:1840
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" VER "
                                  3⤵
                                    PID:4464
                                  • C:\Windows\SysWOW64\find.exe
                                    FIND "6.1"
                                    3⤵
                                      PID:656
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" VER "
                                      3⤵
                                        PID:3168
                                      • C:\Windows\SysWOW64\find.exe
                                        FIND "6.2"
                                        3⤵
                                          PID:2664
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" VER "
                                          3⤵
                                            PID:1896
                                          • C:\Windows\SysWOW64\find.exe
                                            FIND "6.3"
                                            3⤵
                                              PID:2776
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" VER "
                                              3⤵
                                                PID:2700
                                              • C:\Windows\SysWOW64\find.exe
                                                FIND "10.0"
                                                3⤵
                                                  PID:4188
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\ACRONISDEVICES
                                                  3⤵
                                                  • Modifies registry key
                                                  PID:3032

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\83212808-6419-48EC-8C75-1F3B050415EB\cleanup.cmd
                                                    Filesize

                                                    47KB

                                                    MD5

                                                    cfea5a4065aa9483e14d63bbd4c61567

                                                    SHA1

                                                    01e0964400900604ac5a92554f233e6b318b4c36

                                                    SHA256

                                                    18b32008c32ef6d047b73cc0e25be6e5684963656466e8d3cb12e4fb78ea53c1

                                                    SHA512

                                                    7f351da8f947cfc645e8ea7915373a195e52a3d12c6c939f61fb674c5313ef0eb1aa80b263ba1a03779c7a1e6d3a6d7fd238c486f182412861b60ae2fed90b15

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\83212808-6419-48EC-8C75-1F3B050415EB\setup.cmd
                                                    Filesize

                                                    799B

                                                    MD5

                                                    0a04ebe80aeb379206b3ad563138ffbb

                                                    SHA1

                                                    9ad6abc7fce8df4ff39082b73714331e14efd836

                                                    SHA256

                                                    9634aeb664eb242f497c8abe8779e39094ce07391be986fccf76f1595ee95cf6

                                                    SHA512

                                                    20d96b576799c935b821bc094b2af1f03fc23261f2bb6c0053b1445c18be6d20ede98004c1cf1464fd6cb37a3d0ca5330ee8d6d493470cf1c3f5083a2a22c024

                                                    Download Submit