Overview

overview

10

Static

static

3

0a6abd938f...18.exe

windows7-x64

10

0a6abd938f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 19:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0a6abd938fab388897426ab21e136edc_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    0a6abd938fab388897426ab21e136edc

  • SHA1

    29e3d5fc988ceee84b73ea73f4a4c0901f48ada1

  • SHA256

    448677c2289844c630a71fc8bbd2eb786d266b1f061d5f0a9773723c0613f5bd

  • SHA512

    c3a12ffec2f1f864d8510ae2061e1161c2bb3b22f2847d74f394bc26a1d97b80baef0864ee073224af6b9a0dfcb4857f186f7da3601308d7cb353bcc93505fca

  • SSDEEP

    6144:vU3L3dwqsNwemAB0EqxF6snji81RUinKchhypSQ:SdQQJsw

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a6abd938fab388897426ab21e136edc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6abd938fab388897426ab21e136edc_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\toenau.exe
      "C:\Users\Admin\toenau.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4312
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8
    1⤵
      PID:1740

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\toenau.exe
            Filesize

            240KB

            MD5

            f4dc14b2b878176f5d549bdf170d9efd

            SHA1

            cec67899d66abb08e99b6281ffa2a7b03ada6091

            SHA256

            7ae5463736833958e9fe8efbd10b97d80688916ac44312bf3428f2763fa92f1e

            SHA512

            faf2f5df1abbf14e63679510420db9f59e346bc63f915771d0649d7d89d7be3e2b7a87c7258754713c80b48048ba0eaa2e834a1be58836a63ec721ad47ebcf58

            Download Submit