Analysis

  • max time kernel
    79s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 07:35

General

  • Target

    a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    a473b5198f8f8a862cefab74dadef499

  • SHA1

    765ed46149c8ee653125c9d98d27e6e654c8f03e

  • SHA256

    d5ea117bf8c3f798f9d61f546af074e36f0162ce48af1c72210f76024fef82ce

  • SHA512

    59a57c75af8c4a5c80c49f7f4a5fe4592b48c4770de15eef593f6469ab48a087b56fef0783727ad1d8dcf623f981a8ffd0afd35795e8e7cb9a04993f195b0364

  • SSDEEP

    49152:WZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9h:WGIjR1Oh0TN

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28525.bat" "C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\""
      2⤵
        PID:1860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\28525.bat

      Filesize

      212B

      MD5

      668767f1e0c7ff2b3960447e259e9f00

      SHA1

      32d8abf834cce72f5e845175a0af2513b00504d8

      SHA256

      cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

      SHA512

      c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

    • C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A02077C942F48C2C515CC687BE6E_LogFile.txt

      Filesize

      9KB

      MD5

      472db94d4d3a939955cfc964e0c4d4a5

      SHA1

      1aaf64f4b98017edce4054ec0fb848f8200ca91a

      SHA256

      18440334d72d02943fac432b802a67a45d5b7539e0276dc5b4b5016341728106

      SHA512

      c0b17b2e702dafa588877cbe56a15b72cb80e61f626db1deb86707c952a3df67f674a191bff1e2862019f89b05dba6c95d3445e4e0baedc04d9e67ce32cc9a07

    • C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A02077C942F48C2C515CC687BE6E_LogFile.txt

      Filesize

      2KB

      MD5

      172e912f5ef6c048e50237180d129930

      SHA1

      780cffdb7b36c1ab9bea5dee4b3f4e5453e0de44

      SHA256

      e44699bd9250c04303b28a9a4787b986a90d9dbaddb2b9578885350d679a399e

      SHA512

      02a87af57ee8b60d04c3461637fb371ddc9a64d1b605be7401541c190c5a807706d5b52a2ae2bb95cd9e76badcacceea854a82d96f1bbdd3c0fe2b95053eebcf

    • C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A0~1.TXT

      Filesize

      118KB

      MD5

      d8debfd93ac886bff230286917310807

      SHA1

      ecae62d2eeb608d091427a98865e1652b6bdd941

      SHA256

      83ac957dc66c5cc93d261efd8bd21d8b55658ee11199094e24e9ed88d6ddce1b

      SHA512

      dd5a746a62f16a5b2d39ad97b0bb3bf4bf215ca1c8166a2b21d43253828ac62ef3fa34bc6de5ff2b01eab195a9d6adf5f63ed374812002fc5fbe240cfb0a522e

    • memory/4312-63-0x0000000003C90000-0x0000000003C91000-memory.dmp

      Filesize

      4KB

    • memory/4312-156-0x0000000003C90000-0x0000000003C91000-memory.dmp

      Filesize

      4KB