Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 01:49

General

  • Target

    a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe

  • Size

    411KB

  • MD5

    a79df0b5df8c0b4a0185d28c0f16a910

  • SHA1

    bf1423309404fb3c9a58ee9f7c62f8da564e0a34

  • SHA256

    88589ff9df936baabc4d0c837069c30507ca0dfe519fb296fe97073f11551810

  • SHA512

    3fdbcf5fa8d669ae86138f5bd3eac1f17773f3b440a5e27a6d2f659de223bff5f549044b173d6780eb67cfeadd6233cd8203169264313fa3a545dbcfc2700bae

  • SSDEEP

    12288:Y3nZMhJ+ubNJWn8qa/NxK4kbnOmcNirl7:Y3nZqfbvWnA/Rc7zV

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\5bj1o\21mso.vbs" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Users\Admin\5bj1o\file.exe
        "C:\Users\Admin\5bj1o\file.exe" -p1234
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe
          "C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4936
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4840
            • C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe
              "C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:4944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\5bj1o\21mso.vbs

    Filesize

    91B

    MD5

    2dbda1ae2282f1b9efbf2d765c52dd0c

    SHA1

    f182e2d4ee60088fbc22e2c0c647ef75304e6d42

    SHA256

    ffb5a9e68035a2c477f197468762093d45aeae71ca6d868abca045f9eda8a578

    SHA512

    bf2f3fc7e3e8b301ef049a74b7206d4729c427a802d0015e446c49fd866728d4fb0da8aa9989ec500d4885b67af021c247cd78a596185a5882252988a22dbc39

  • C:\Users\Admin\5bj1o\file.exe

    Filesize

    352KB

    MD5

    fca6394ebe877f9cc47c74e8f3ffa0b5

    SHA1

    4165e2f428aab58dc41dd73f26162aaea96cf5b2

    SHA256

    6654d8fd7b3f09059b3bb90a2849e829247231e40de778a7a3427ecef7c9da95

    SHA512

    b3b2a0f72c40038a9f4d67e7fd313df27387e817b1d118e5a0eaa522b2e22505d64f5152d7ef766a69a84829d340ad008f0b080f0fc363ef435192faa5dc3f34

  • C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe

    Filesize

    42KB

    MD5

    ea91e005c6920683a4526839f7745482

    SHA1

    432058655709f00958f287b6413ed5750ff69577

    SHA256

    8be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449

    SHA512

    971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc

  • C:\Users\Admin\AppData\Roaming\5bj1o\x

    Filesize

    529KB

    MD5

    38bed34868d64ba9f4a11d3e763539a0

    SHA1

    edb562a987a4f0d73cb80606527d46412ea63a0b

    SHA256

    897e6a82490cd866b0a256c4a73bd685d4c4afd3187587bb89c082a9ebe18c52

    SHA512

    6966b8a7114254faf37c383f7e0122011afa0fb67d8d140137e19b812e5f56d5418910f2731343a70612d4527f8e60f9272f70e512cd2b7e54f8555641265f1d

  • memory/4840-21-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4840-22-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4840-23-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4840-24-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4840-32-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4936-39-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/4944-30-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-35-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-36-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-37-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-38-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-34-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-41-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4944-42-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB