Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 13:25

General

  • Target

    0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe

  • Size

    820KB

  • MD5

    0666dc953174e2532fc7e2c6a619ed29

  • SHA1

    64570ae1f41a4c8792f31718194c06eeda3af0d1

  • SHA256

    c4b744bc109c8d0330442c880cbbd78f4845a3bb72e3f1bf377331230d47ff85

  • SHA512

    82d0ebf649597978c197b83651d2eea7210f435724d4a12066052d9117bd40af21645b9f95a5b3cf081fff2b399caeda903e1ab0781c4129a9cfe9b6a1a4ba2c

  • SSDEEP

    24576:UcnflP/yxRdg1n7MP+h202fVmEUaFdt/6nu4ucDdw3xbkE:XlP/yt6o+2M7MtCuadw3iE

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe
      "C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4200
    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Deleteme.bat
        3⤵
          PID:4648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

      Filesize

      132B

      MD5

      86b553fba6309de0e4ad6dd0b6b7361d

      SHA1

      4a26abf7ab216bed7ebbe5b6562a88b19f3e73b7

      SHA256

      39c3919c39670fda6ddfefa7323260e1609339aacc97fe51b1578b5ea7148e75

      SHA512

      ec1310a515b591157ec152e23f93dd591419d74df5655e49a26346102664c3ff17efa8eeb617d311bb29dd76c4c5972f4f0d74e7b33ef90f23959dcf48ea99ab

    • C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe

      Filesize

      375KB

      MD5

      de5b0dd3a16c1ec9cf307f13525b6657

      SHA1

      5be01b92fa813f51306e08d472b42e8c62c3637c

      SHA256

      69ba7530c540c915a71c444af52104351f00aaddd779d95891f2dacc0f30a3a8

      SHA512

      f6498838cf97f77fb180964e8a26221dbf96df68415053a2a3edc550db94f01bdae37f9e6e368be3ee423184984b585d8fb8eb90a2d547185a1fc269264b11ac

    • C:\Users\Admin\AppData\Local\Temp\loader.exe

      Filesize

      350KB

      MD5

      5564293354d9d684d6a2bfbc9be54e5b

      SHA1

      72b56c9ec3ac1c7c9011f7d02bf9c5a7517f3b19

      SHA256

      c9291e111b15370a6546ce5e0848018b4ce15a1a277197e3b5a73389508f06cd

      SHA512

      f5cd649482ff56babe138350efbc31b18e7270fb32ee286eb9bf60d3025099ad059dbfb85347a6a60fc87eb07339605e53e5c93af1784baa5f4c4617cd9aeb2c

    • memory/2976-20-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/3712-23-0x0000000000780000-0x0000000000781000-memory.dmp

      Filesize

      4KB

    • memory/3712-43-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/3712-34-0x0000000002170000-0x0000000002171000-memory.dmp

      Filesize

      4KB

    • memory/3712-24-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/3712-21-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/4200-40-0x0000000002170000-0x0000000002171000-memory.dmp

      Filesize

      4KB

    • memory/4200-25-0x0000000002150000-0x0000000002169000-memory.dmp

      Filesize

      100KB

    • memory/4200-39-0x0000000002180000-0x0000000002181000-memory.dmp

      Filesize

      4KB

    • memory/4200-38-0x0000000002190000-0x0000000002191000-memory.dmp

      Filesize

      4KB

    • memory/4200-37-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB

    • memory/4200-36-0x0000000000640000-0x0000000000641000-memory.dmp

      Filesize

      4KB

    • memory/4200-35-0x0000000000670000-0x0000000000671000-memory.dmp

      Filesize

      4KB

    • memory/4200-22-0x0000000002120000-0x0000000002150000-memory.dmp

      Filesize

      192KB

    • memory/4200-33-0x00000000021B0000-0x00000000021B1000-memory.dmp

      Filesize

      4KB

    • memory/4200-32-0x00000000021A0000-0x00000000021A1000-memory.dmp

      Filesize

      4KB

    • memory/4200-26-0x0000000000660000-0x0000000000661000-memory.dmp

      Filesize

      4KB

    • memory/4200-14-0x0000000000400000-0x00000000004CC000-memory.dmp

      Filesize

      816KB

    • memory/4200-45-0x0000000000400000-0x00000000004CC000-memory.dmp

      Filesize

      816KB

    • memory/4200-46-0x0000000002120000-0x0000000002150000-memory.dmp

      Filesize

      192KB