Overview

overview

10

Static

static

10

0fdf328426...18.exe

windows7-x64

10

0fdf328426...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe

  • Size

    598KB

  • MD5

    0fdf328426ecf86ef63b76949fd208fc

  • SHA1

    4e1c12e0108a6e82ab112e618cd1cde5eb04cbf2

  • SHA256

    0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48

  • SHA512

    4b669582aece23c54c95b3cb5e4f077849e13e4b2aff323a010fa4f0a7aa0d025feadeb76385857a0269c5730877ccc3cdbec529d2fad915efcedea013871f08

  • SSDEEP

    6144:twwD6UiF6ojFnFeVZLHrwwDgUiF6ojFnFeVZL8+nOj0FZOUxku0GzTVowvYy:mC44UefsCu4UefFVXTmRy

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        3⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:3632
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    173KB

    MD5

    268bdd9f14e2b1934b7a1125b35e74fe

    SHA1

    aceda13e816b22bc199aeb222936985d7a8ee019

    SHA256

    f62a1a51e02d31e99b7cf2612067e7f16070ef6877cbd5bd1dd18108bb3c9250

    SHA512

    4b2c5b213bba1b169b8de4cf36f733ca4ab4640d7323b0057a5d6b92001e45456d36d773e757ee37d8c9d86040999f461f539790c4f4135cf317a45aa44c6ade

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temples32\ekran\4233386.jpg
    Filesize

    74KB

    MD5

    45b118d5fbe98b7b5e6f760ae1bef1b4

    SHA1

    85282041fd35f46ff7049173e254da6c397d3c0d

    SHA256

    12b8dde71c27d811afb94919f8132e35edc90397b9f1844aaf3c74c48bdc42b5

    SHA512

    398ffdf3367d950c8ccc54b4a557439f26de4a72b761653b159eacbeb43d91803550b8983322bdde68c764521a10066733df7a1b589783ccb7ca0d9d90ff3e8b

    Download Submit

  • memory/1552-27-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-15-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-17-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-19-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-26-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-28-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1552-29-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4968-2-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4968-18-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4968-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4968-1-0x0000000074E70000-0x0000000075421000-memory.dmp

    Filesize

    5.7MB

    Download