Analysis

  • max time kernel
    96s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 06:27

General

  • Target

    a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    a4325cffe3af673ef38fcdccbc3906e7

  • SHA1

    e1c34b8f001e317f88649a642425e6548c53e026

  • SHA256

    24af90a82bce57acc5521e068ddfc0f94e35d89830687bae2f97878b9a3deafb

  • SHA512

    5c911ca5efc2802eb902cc85bb5de0353334e699edbbb53d3791d8aa2fddfe365155f9dd5b6764956a9e222245a04c29f469f37343afa037cd7a4248eed15769

  • SSDEEP

    24576:5bSaE4mvt/NCSAkPtMjrnVJFOQ17YiFPZI1t:5bSv4mvLCK4rnVJFOALJst

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
        C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe 7-1-2-5-2-4-8-3-5-3-2 KE9HPzszKy0tHS1MVEBLR0A1LRssTD5TVUpQR0FBOC4eKENHTlJFPDotMTMtMh4qQUU8OisdLUlRTT9TP0xcREE7KjU3Lx4rS0JNU0NLXlNNSjlgcW9tOCgucWBwciZxY2IrWm9uKGJdbF4pZmxfbh4qQUhBQEZGQjYxMi81LSo0Li8zGS5CLDstMC0xMh4oQzA4Ky0YLD8wOyYwHipCMDUqLB0tPTQ7KC8cJ01NTEJOQlJaTk5BUzxAVzYfLUtQSzxSPlFdPlRKPDscJ01NTEJOQlJaTD1FQjgdLT5XQ1pTTkQ6GyxDUURdPktAREZJQjsZLkZKUVBXP01MVUxEUDgwHCdRQz5MRFhNUF1RSkk4HS1PTDstHis8UCw6HihRU0lSRUVCWlRDRUJNSENFRT5CQlNLSzsbLUVLXE1STE1IS0A7cGpyYB0tS0RSUFBKQUtCXFNMRFBaQj1RUDgvHihHRz9DVDUuGyxHTF5CVEw9RUY+XENHQlBUTlA9QThjX2VyYxstQEdUSUlNOkNdRE45MC4pMzQnMDcuLC0oMhssUkJMQzgvMCoyNDYyLjA0Gy1AR1RJSU06Q11PR0k9Oi4sLykuMCsvMSIuNTAzMzA0JU5J
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get serialnumber
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3208
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4552
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version
          4⤵
            PID:1836
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version
            4⤵
              PID:2364
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version
              4⤵
                PID:3488
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 908
                4⤵
                • Program crash
                PID:4132
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1488 -ip 1488
          1⤵
            PID:4256

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\81718260052.txt

            Filesize

            66B

            MD5

            9025468f85256136f923096b01375964

            SHA1

            7fcd174999661594fa5f88890ffb195e9858cc52

            SHA256

            d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

            SHA512

            92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

          • C:\Users\Admin\AppData\Local\Temp\81718260052.txt

            Filesize

            58B

            MD5

            f8e2f71e123c5a848f2a83d2a7aef11e

            SHA1

            5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

            SHA256

            79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

            SHA512

            8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

          • C:\Users\Admin\AppData\Local\Temp\Setup.exe

            Filesize

            611KB

            MD5

            0cde0cad0ce4b585b01f5f4372421806

            SHA1

            3c7aa727e1d848384380c9d2faf36ef204c62012

            SHA256

            b067a5cd483d8b48109a8e6b0b6f14a98cba55bdfdbb19746bb0b34225fff98e

            SHA512

            ebfcfe5e648989d896b6dcb1006958998ef6f5e141214fe330ad3e70f89412ba2e88640f3f0554c52b9f6f0dae0545eead982b36405f2e35af61e019d41b4468

          • C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

            Filesize

            810KB

            MD5

            c9956ff8300e9d03818f9ea699dd5166

            SHA1

            119029567399a3a4c453f2686bc7f1ad9181e2d0

            SHA256

            d4f2bfa905ebe30c7393db660d4bdd99e5c3a1a7c5f17b2f06d60b4b85f9cc7a

            SHA512

            8201d9c97b894f6ca9da57a18ccda3fa1694b6cc54ff1b53a4981dd5add7edef2e30b7252190e39610c6523da0a6878987d9ba5b583fcdda774f509d7ff51f12

          • C:\Users\Admin\AppData\Local\Temp\nsyB631.tmp\amobm.dll

            Filesize

            152KB

            MD5

            98aafe4b27cc67a4aa2f3f8cb2696c7a

            SHA1

            819d9079822e56185b5860dc9f705c468ec74767

            SHA256

            b2cc39a4cf32de27d4d9e4204c5f51be48568f450780bd9b3322a1c592dbbbf7

            SHA512

            800e3f3d6426272d9d271fd53d6ca8cf49a722d4f3c3f64158de1e9bae1b8fe73b69d225f15991bfc4fdcded98f59279326ebb0d86e8cf9ff84cecd0d4d8eb9d

          • C:\Users\Admin\AppData\Local\Temp\nsyB631.tmp\nsisunz.dll

            Filesize

            40KB

            MD5

            5f13dbc378792f23e598079fc1e4422b

            SHA1

            5813c05802f15930aa860b8363af2b58426c8adf

            SHA256

            6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

            SHA512

            9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

          • memory/3964-0-0x00007FFEF8FC5000-0x00007FFEF8FC6000-memory.dmp

            Filesize

            4KB

          • memory/3964-1-0x00007FFEF8D10000-0x00007FFEF96B1000-memory.dmp

            Filesize

            9.6MB

          • memory/3964-2-0x00007FFEF8FC5000-0x00007FFEF8FC6000-memory.dmp

            Filesize

            4KB

          • memory/3964-3-0x000000001BCD0000-0x000000001BD48000-memory.dmp

            Filesize

            480KB

          • memory/3964-79-0x00007FFEF8D10000-0x00007FFEF96B1000-memory.dmp

            Filesize

            9.6MB