Overview

overview

10

Static

static

3

015331241f...18.exe

windows7-x64

10

015331241f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    015331241ff5f83b18879e8f84ce0eaf_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    015331241ff5f83b18879e8f84ce0eaf

  • SHA1

    7ae7106ba8930e59253c3a874eb93a4872fa445a

  • SHA256

    d23666e2050ca9735e7a0745a2685e00466b2688af7c61a9a6cfc8f03b407d8a

  • SHA512

    538c6476a351c1d648e3dfdc2b55513efa24574efd56fe7de50863273d9b440233c5d7ca05de8cc929245d404c72b9c59a942c44fe806cb873b1442b608bbee1

  • SSDEEP

    24576:jVBCCc5CdFjqfKhn/rB5KNNCS+FRVvQKLd01W8GwPgx3kuwnXSRcsMc:jVs/MdFjqGn/rBYnkN70xGLtkpXe

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\015331241ff5f83b18879e8f84ce0eaf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\015331241ff5f83b18879e8f84ce0eaf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\GB_LITES.exe
      "C:\GB_LITES.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GB_LITES.exe
    Filesize

    2.2MB

    MD5

    e8a175b0229c684fa7a17cdd45e5b10e

    SHA1

    50f3a08ea5c652f7a5bc238a84f807e9fc8b6ccf

    SHA256

    234461d4039cc2585f6681c173c3e06c49c1ed0ebfb981b65db68615d0ece7a0

    SHA512

    db184ed9685f15695eec4bbdff174b9c9439ed892d1965099cda4beef33c95c93fbde6e572801ade9a56c70a10f93ddebaa7cdbec34de9ae128643bbe4d32b66

    Download Submit

  • C:\libmySQL50.dll
    Filesize

    1.4MB

    MD5

    51b4cecfb4c9ca5bf38215744e5df39d

    SHA1

    6e2b8eed69064ff617aaf8a411e0f627fb59eac5

    SHA256

    d4afdbc3b6169128c7752936d9ee4aefe6a435ab3d0ef0d9eb12d5a1bb1e11ad

    SHA512

    74d1e9e7da3035a9dda6bdd9fcc3650cecbfb122cc09d6f4ba231982be5c5342cba23e7d00aac10c012673c562596a23e89cb9fccdeb42743ce026122121fe50

    Download Submit

  • memory/520-16-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1336-17-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-20-0x0000000000400000-0x000000000063F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1336-22-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-23-0x0000000000400000-0x000000000063F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1336-27-0x0000000000400000-0x000000000063F000-memory.dmp

    Filesize

    2.2MB

    Download