Analysis

  • max time kernel
    141s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 02:42

General

  • Target

    a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    a3918e032ff926de0deec7701b87d759

  • SHA1

    6e45e8fbd7cfb5596d533025fb9f8869ce085af0

  • SHA256

    bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b

  • SHA512

    031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb

  • SSDEEP

    49152:GnsHyjtk2MYC5GDLHikkafWDcqzMeBKoQV0aFXnEQl:Gnsmtk2afkKNMLo67

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:224
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    2.5MB

    MD5

    a3918e032ff926de0deec7701b87d759

    SHA1

    6e45e8fbd7cfb5596d533025fb9f8869ce085af0

    SHA256

    bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b

    SHA512

    031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb

  • C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    6ce93a43d85c29f42962ace3fa818e26

    SHA1

    19439224cc4a59212499cad2842aeabb5b824fbc

    SHA256

    1821610d00410064fd10df6c08104a23a3eac06fe8cc6723f7222880c732774e

    SHA512

    6a0c1b35ca2c915cf9637607574964c945e08734ebd8be9eacd508ae64b6e09d213494cb758b19f893209fff42c646193879131bff67936de2ef969f958d886a

  • C:\Users\Admin\AppData\Local\Temp\nsu5258.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    0c44f21d4afc81cc99fac7cc35e4503a

    SHA1

    3d0d5c684df99a46510c0e2c0020163a9d11c08d

    SHA256

    8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10

    SHA512

    4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923

  • C:\Users\Admin\AppData\Local\Temp\nsu5258.tmp\newadvsplash.dll

    Filesize

    8KB

    MD5

    55a723e125afbc9b3a41d46f41749068

    SHA1

    01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

    SHA256

    0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

    SHA512

    559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

  • C:\Users\Admin\AppData\Local\Temp\nsw5650.tmp\splash.jpg

    Filesize

    32KB

    MD5

    7b969f1073cb2bbc59e0e4bde493ba62

    SHA1

    5af88b9eedbcadf18f0ff7a740001bb173a205fd

    SHA256

    181b91f41df916a24549837e4e0c6ca53da4aac69ebc2737d45b29c453a25f5f

    SHA512

    f699846e67a46a869d5aed8c0d420dbf46d81c37800179e378c8d245f6a2ee7419ae73bb25eadb8462477eb93d052b3843672babe6f6b470f136fe0f760a2512

  • memory/1588-0-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

  • memory/1588-109-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2496-162-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2496-164-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2496-165-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2496-170-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2496-171-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB