Overview

overview

7

Static

static

3

03d3695d1d...18.exe

windows7-x64

3

03d3695d1d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 06:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    03d3695d1d54572e95669e88832e36ba_JaffaCakes118.exe

  • Size

    12KB

  • MD5

    03d3695d1d54572e95669e88832e36ba

  • SHA1

    66a0b53b8df1743b73b0dfb31895e0d64cd32c21

  • SHA256

    81db08f47d33516ca7da4de905e8dfd71dd570f41d53da2af998af87b92b8390

  • SHA512

    db0f77ddd91f967fcccce01c58f537b2d6cde00918f26ca98691b77e24e569e8c613022ad361c9e3d8d8c5a473ec6e347a36f37212bb94683fcc0d42ff42a4fd

  • SSDEEP

    96:yMVX/DE+pS21HAdZxtwCKbzKj/K2pJc0gPzOt20aM2b:NPYeHwCCKbzKTK2pJ3cOtYMu

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03d3695d1d54572e95669e88832e36ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03d3695d1d54572e95669e88832e36ba_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\sfsd.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3252
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\sdsdsd.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:760
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1820,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
    1⤵
      PID:2040

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\sdsdsd.txt
            Filesize

            31B

            MD5

            b8d3805f924d5fae70c2dd3790f1bd46

            SHA1

            0a050bab93cf23a3a7c167fb8325f82e92bbf963

            SHA256

            d57712faeefb71809c6b9802a02bd39d31ec6954511c616d5153982b8ef1d41f

            SHA512

            34dbe67a8ab1dd1f3196aeceb059288299e0448a637d90f85ade67f9478b5aa10d7911e171c095ce0251569ced5c268bdcd80a464dfa442c43d51217be4957ef

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sfsd.txt
            Filesize

            19B

            MD5

            61c32087c35124aec22ad014fde8448b

            SHA1

            7adcf46dd9f4958301e8859051910d0432cd0353

            SHA256

            6bb368325e9deac47b0ce311752f1bad1db0d230c518aac8c6f21fc289a5eab4

            SHA512

            a4c062ff2a646c0e361f9b9ac9519f16d72a84446bb4f8f262c247ae2a542d906f45fde8be5f78d8a796dd0ee4b55d3896d1b51b28fe3a205bc79ff07b181aeb

            Download Submit