Overview

overview

10

Static

static

3

0063afc31e...18.exe

windows7-x64

10

0063afc31e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0063afc31e689ab178279bce2ec3419b_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    0063afc31e689ab178279bce2ec3419b

  • SHA1

    5f755f4804a5991cef2395889b4a31fd1fa54822

  • SHA256

    da0064fdaf4bd4955e9d130e500ccb71e2df41a65eef619d1c556972d1d6cac1

  • SHA512

    d3efa84da31d6a8f743ec8229438711337fe6c886930bec9f8d37d6ec301b81ac5838b86b51b373baaaa566867c11e306717481c9b88b99a491b3aeee3ec40e2

  • SSDEEP

    24576:RNHuGUiEOqILxACgJ2DM/r1uzYN6jzXTsBM2DJ01mlJg:RNHXUtOqI1jatT1uUOzjsB31qmPg

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0063afc31e689ab178279bce2ec3419b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0063afc31e689ab178279bce2ec3419b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\3WJR06OVN7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3WJR06OVN7.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\3WJR06OVN7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3WJR06OVN7.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2020
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Happy Birthday.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1196
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hegp8wye.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1D5ED041EDC444A8B6538E97563F37.TMP"
        3⤵
          PID:1036
      • C:\Users\Admin\AppData\Roaming\0063afc31e689ab178279bce2ec3419b_JaffaCakes1181.exe
        "C:\Users\Admin\AppData\Roaming\0063afc31e689ab178279bce2ec3419b_JaffaCakes1181.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        PID:4536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES3F0C.tmp
      Filesize

      1KB

      MD5

      f6010427f314fa011b731521c881c4b0

      SHA1

      f1f45394189592241922bb3572baa9ff4c20a4ec

      SHA256

      f29644b2cdacd46fa7c8847769d3a5680e205a6f985068a2bc32bcb3ef6722ed

      SHA512

      e7900d46c9bb2f7907e01d11d87978f2d415234f426e8589edeebf37c89caa6407d14662d5523e2e7f293365cbe9bccdd16a6c45f24b0db97e0e82670d6fbff7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hegp8wye.0.vb
      Filesize

      381B

      MD5

      d9004fd374c4ace6543730c562103204

      SHA1

      eb7b51eaf67efe09f8f726c6095f4e8c435af3d1

      SHA256

      8615310e4321e54e435d3ca2db985b19dd3f5b9653b54ad7af854d94a719c43e

      SHA512

      052609cbfbedeaaf14914a07f52bc8b6f5cddbbaac7f25be190e735f53b245b3e302f887164396c4c8ced468e171d98bf9408efa124cbb5f7e3daef67808301e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hegp8wye.cmdline
      Filesize

      235B

      MD5

      8b96c632315d38f62cdfb3533c5f125d

      SHA1

      af941a2a1309c67d9e54d2160803d147e0f6a2a8

      SHA256

      ff8920c2d38ddb33311fe2d3023ce50db6e7cfacd4cfb88e56227c7fab625cc6

      SHA512

      5c0e21698cde30b47d1c5c52e1ee11891eb945b539392a0a274ff57c3fe8b0a31be62dd33610bfd76c6ba54119558cb1509446ec3c1b47014fd17751bb7efba5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcD1D5ED041EDC444A8B6538E97563F37.TMP
      Filesize

      804B

      MD5

      72f0efb76ac38f31b1feb9e3372237ad

      SHA1

      c9a2660bc7f1657e42f2ed081e1e17b3a993cbf1

      SHA256

      8aa7dc06856721b3ba60d3defcb757428c02ad383a02fec147808333a7f07108

      SHA512

      087e62ca99afbc4d1c61b85b929fab16ffe63cdff658047027a5850e2dacb6c5f2f2188109e4f8bcc4d3ced8df5d4bb021fa1ccf88bc823c3296b4fe4e453b85

      Download Submit

    • C:\Users\Admin\AppData\Roaming\0063afc31e689ab178279bce2ec3419b_JaffaCakes118.exe
      Filesize

      1.0MB

      MD5

      0063afc31e689ab178279bce2ec3419b

      SHA1

      5f755f4804a5991cef2395889b4a31fd1fa54822

      SHA256

      da0064fdaf4bd4955e9d130e500ccb71e2df41a65eef619d1c556972d1d6cac1

      SHA512

      d3efa84da31d6a8f743ec8229438711337fe6c886930bec9f8d37d6ec301b81ac5838b86b51b373baaaa566867c11e306717481c9b88b99a491b3aeee3ec40e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\0063afc31e689ab178279bce2ec3419b_JaffaCakes1181.exe
      Filesize

      6KB

      MD5

      ba3dce5b4c7863bf7010fbca141e7399

      SHA1

      ee7d83197bb301e3082e7e79cf8250e2dd76bcb7

      SHA256

      3b5177edd2fe2a8dd1d2de7492ffb0a519adeffa5e8beaa9cf13d0d2fd5a3a92

      SHA512

      58fcbe674654c7325f181a6fe7b10f910c982275ca48ee9f605043587da32a6f67028360a522fd480c578082ef5c342b27944630794b1092086dc2b19c76f90a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Happy Birthday.gif
      Filesize

      90KB

      MD5

      e1f336d93eae5dcef0ea53e27d33135b

      SHA1

      c8acc96fe0f80bc220f8ed43f71c8b55250b585d

      SHA256

      07dd33438839fab641dfd51fc6f97443398138db7ea4ace748da5c3638079542

      SHA512

      f04653d6567a4cdcce5f73cc38021a448453b852f0972869aa8f156c47af985d67d3cb0602ec91a469333b4fa012118f240748c2ac887a906a9492550fbb2469

      Download Submit

    • memory/2984-36-0x00000000752A0000-0x0000000075851000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2984-1-0x00000000752A0000-0x0000000075851000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2984-0-0x00000000752A2000-0x00000000752A3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2984-2-0x00000000752A0000-0x0000000075851000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4268-47-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-50-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-41-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-42-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-44-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-7-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-48-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-5-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-51-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-54-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-55-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-56-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-58-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4268-59-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download