Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
05/06/2024, 07:43
General
-
Target
9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
9783960bd13fc9f6e266f220c5a174aa
-
SHA1
6a483c098d04152ed62b4e53600e819eaad163b4
-
SHA256
98b7ae6e91fe56a7597d1559967fad5ecc42e46c5021587dfa4be6c444412514
-
SHA512
2f808cbca7eeeaaac626d7519caad4ea407345b542c8a249179567d4da0c54cd8a05f6dd6dc9179a51ad23f4ce456490f212eea6c37dff6376ba8bd5884ae606
-
SSDEEP
98304:X3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzl:Hbeirfa1GZN+PhLIZZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exeC:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-R8CNN.tmp\drvprosetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-R8CNN.tmp\drvprosetup.tmp" /SL5="$501DE,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Driver Pro\DPTray.exe"C:\Program Files (x86)\Driver Pro\DPTray.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Driver Pro\DPStartScan.exe"C:\Program Files (x86)\Driver Pro\DPStartScan.exe" /SILENT4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Driver Pro\DriverPro.exe"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Driver Pro\DriverPro.exe"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
819KB
MD5fe31b439855c9bc8af54bc83b61e3d4e
SHA13a4cb85b20b3bd3bb904de725eb974c4ea16a97b
SHA2560bccf5266397c50c63d5dd23ff6c0c2afb672325a6300f2e9e44e71d4b5485e5
SHA5125be58ac4144cd19cef6163dc056d7e540c728ba71b053082d63a53114e13ab1991e419bd2bdb0fff00f5a721ddee40f70579d7b43acbd2772be3b1d30523a97e
-
Filesize
810KB
MD501f6a32f6b28d37b3155325a83d96410
SHA1b5cbaaae0ae15ebb2985733fdce3e156555abc82
SHA2568cb02e1a1867e40aed8a11bae3c8ea100996eb518fa0d81f3d12e02e646159d4
SHA51242fe1c80bd408e7f9e36544dfc13a463e6fd07caef72b9706bba51899bd220b66826b4bf58a1e278bc6f805c43bf30bc60cebd8eb1aeefc328cdccbbee8d8021
-
Filesize
3.3MB
MD5ec1edf352b54ab579353bf043c2014ee
SHA1fc5fff6f090f7615d41df61d0d5757fb26b3a4b5
SHA2560fd7ac20b7655886c6bc98efa05a7dfe5c65deb61d4d656021e4f58564a9ae08
SHA5128fdba482728322b25585930a6dc8c707f44a66751ed66c056ef5380a4c769ef1654ae138deb7aa599f9c0641f618a13dc56022ed941acfdd2cc734fb39be8501
-
Filesize
12KB
MD58f88e83e8022bfacd1e11529fcbac372
SHA12827f7593329022d8a6672133b67d542363e5be9
SHA256d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679
SHA512dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
3.1MB
MD53107c28da15cc8db52ecaeb41e92fa27
SHA19498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f
SHA256e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325
SHA5128b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8
-
Filesize
1.3MB
MD5dfd23a69f1a7f5385eafafde8f5582f4
SHA1e578e02964582382d4cf90ac003bffa9dcd1dd30
SHA256701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2
SHA512740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174
-
Filesize
64KB
MD50d6f95239fc7575f6356b7f9de24e4fc
SHA127433dfc46ab0538b176ca2e4504ac84d77c8bb8
SHA2563b5abe6dd5dcfb988c358fe5082d12c614a9f4e692f67d3455345c1e1d971321
SHA512746b6a6ac091017c8c06835ee41ddb4a8878d6aa716de7a9de36bbcc40ec6e02d2f78050c68d1f8f29fc2e532e695a193e6ce3f0285f384d5a429c7eb030b667
-
Filesize
1.1MB
MD591c38c395631d57254356e90b9a6e554
SHA1cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4
SHA256e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d
SHA5129f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119
-
Filesize
164B
MD58a8643166dbaa129dbaecb287e987b8e
SHA1e7cd7de83035b8828b4e8f10330a03a128d0c5f7
SHA256b374f6ae7ec7ab51f56d6a4680fb222d8436be5392526d284452518b9c0be457
SHA512dac7b64e8a3c72382e2f7db99f181a30ef68760ec8a4b1f1ba917c91957c8bb7058f4e1c513521e82c3a954841751d61db68cb76857f559c96b4e1aaa9148229
-
Filesize
1.3MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
3.3MB
-
Filesize
448KB
-
Filesize
836KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
124KB
-
Filesize
68KB
-
Filesize
124KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB