Overview

overview

7

Static

static

3

01132c2907...18.exe

windows7-x64

7

01132c2907...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 23:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    01132c2907ff7c7dbe22dc481ff3cc2f_JaffaCakes118.exe

  • Size

    51KB

  • MD5

    01132c2907ff7c7dbe22dc481ff3cc2f

  • SHA1

    5577d2717071bcd54025d280bd37acd4d5004abf

  • SHA256

    3ff58c6d73a166df5ab7b9a34b01b3e8643e39814d630e8b6f89fa256747cdc6

  • SHA512

    aa8d0e10e948b3e67180fc4f7052d3ef600770aeb69ba78c422849ff260f137f724f3f87d83e84d1df7e5fcd894fa7072ebf2061e46083819b727ec630e01353

  • SSDEEP

    768:dwxr9lVQ+7eFIAbNCgRPmAbDC9vKDQvVFtyLsvjBhH2xROa30FToI7Ng8cr:C7euAbNfPmAKU2FtygvSjOO0FkI5g8cr

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01132c2907ff7c7dbe22dc481ff3cc2f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\01132c2907ff7c7dbe22dc481ff3cc2f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Users\Admin\AppData\Local\Temp\inl667A.tmp
        C:\Users\Admin\AppData\Local\Temp\inl667A.tmp ojj-gmlpo.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3656
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl667A.tmp > nul
          4⤵
            PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
          3⤵
          • Drops file in Windows directory
          PID:3228
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
          3⤵
          • Drops file in Windows directory
          PID:3632
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3588 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\01132C~1.EXE > nul
        2⤵
          PID:4868

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\ojj-gmlpo.tmp
              Filesize

              827B

              MD5

              6af2bb403abe2507dbe4544cd3da167e

              SHA1

              3e3d8610765761db0c0c9596764228395d82bd21

              SHA256

              e6b475685c514276691436256a1aa0463a500465a8602f0093e215a5c612cf8b

              SHA512

              85e58c25978b4de667cdb2343edabd30b3e7b59528a7f6efce0c19b1fb452d33a7f0f586fbf0b580893b5fc8cddee07bba8c065154224862a7e905b54ef6a419

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
              Filesize

              59B

              MD5

              d23854dd62bbe723ae72e15951884b5b

              SHA1

              c3d8cca8db6a68589aca1aa22d19b6632ff7a01f

              SHA256

              ec72f4926c2735ed48eaf66746c349ec158423e072237a5bd176656bed02fad2

              SHA512

              720c47a425f0294712af5233e9aa7e549d70fceaa37759e7512358dd475ce24eb45a58c244ddccc603aebeec50e5c24c03f21c99295e305b4927b11e7f04813a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
              Filesize

              94B

              MD5

              d5fc3a9ec15a6302543438928c29e284

              SHA1

              fd4199e543f683a8830a88f8ac0d0f001952b506

              SHA256

              b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

              SHA512

              4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
              Filesize

              98B

              MD5

              8663de6fce9208b795dc913d1a6a3f5b

              SHA1

              882193f208cf012eaf22eeaa4fef3b67e7c67c15

              SHA256

              2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

              SHA512

              9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

              Download Submit

            • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
              Filesize

              154B

              MD5

              8d681a59ea75e91f730bd9ce3c42e514

              SHA1

              9d426029daeebf03c9053761e0e5a9f447f98e9c

              SHA256

              afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

              SHA512

              ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

              Download Submit

            • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
              Filesize

              155B

              MD5

              5a17106c27138df10448c2c3be95f399

              SHA1

              56acc2ed4fea4171127a13dcdee08bdd39d674d6

              SHA256

              c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

              SHA512

              1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

              Download Submit

            • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
              Filesize

              156B

              MD5

              8a275b261afcc166671132b6f03831e4

              SHA1

              03ac21edc1de2df748ee3a301a6b3de989c423c3

              SHA256

              0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

              SHA512

              269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

              Download Submit

            • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
              Filesize

              158B

              MD5

              d645085ab92574a2a17abd323415dde5

              SHA1

              49ebaa4499cacd9256f270f35f31684b7cd195b1

              SHA256

              41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

              SHA512

              a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

              Download Submit

            • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
              Filesize

              157B

              MD5

              993f72a439a3301caeb969c7faa7a8b9

              SHA1

              176244349a0463cd0fc38cad426d89dc3b055311

              SHA256

              b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

              SHA512

              c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

              Download Submit

            • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
              Filesize

              443B

              MD5

              01f8b2509f3844f8c6e8e198555d3ffb

              SHA1

              55b531078457f8a5583180b018b178f5294f6fcf

              SHA256

              ab9b1350f19e5c3bcec4b6302ea996a20b07db71cc4f99d46d7b9314f208597e

              SHA512

              98b2e3198935d14a6730d9e1dd22dd9f1c6fc692d5052aef9cde84f6745bde36bec984ea7dca2ada001423416eb6c9eac670dada67fe19c9ccccda83c504bd5d

              Download Submit

            • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
              Filesize

              425B

              MD5

              da68bc3b7c3525670a04366bc55629f5

              SHA1

              15fda47ecfead7db8f7aee6ca7570138ba7f1b71

              SHA256

              73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

              SHA512

              6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

              Download Submit

            • memory/788-70-0x0000000000400000-0x0000000000411000-memory.dmp

              Filesize

              68KB

              Download

            • memory/3656-71-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

              Download