Overview

overview

7

Static

static

3

0e10bea41a...18.exe

windows7-x64

7

0e10bea41a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    124s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e10bea41aeedb7ddf1485beb906c03d_JaffaCakes118.exe

  • Size

    149KB

  • MD5

    0e10bea41aeedb7ddf1485beb906c03d

  • SHA1

    9a867993257841e392d09d377dac2be87ee6a09e

  • SHA256

    4390e8a14407aab1e709ac27195497b520139a955280cf2326d86b34b4b5e70e

  • SHA512

    ff0bdbcf5f552b805e4f0ce1ab26218a76dc0c67c64643ed23a2453eb1136c7b81169187f611e80d69231425c0ac21d7943a5057f30001f0a6d269bdf1dcaff3

  • SSDEEP

    3072:2aUG4f3Z3M56CCjcS7GiB8uwDeIBiw8Um7wCVudtCiwyP:if3dM5OjF8t4wdwOCi

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e10bea41aeedb7ddf1485beb906c03d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e10bea41aeedb7ddf1485beb906c03d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4212 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pPJE9A4.bat"
      2⤵
        PID:3076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 512
        2⤵
        • Program crash
        PID:2276
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1032,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
      1⤵
        PID:2388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 452 -ip 452
        1⤵
          PID:868

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          b9b9f42ce6d2b20bf169d05480d239d4

          SHA1

          32b094cc2ff79f07fcd68d585846b919bc350e4d

          SHA256

          4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4

          SHA512

          36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          a6e76f2196f14b1759cfba7c52da6674

          SHA1

          9582afd585b54e303c5fbda8b88f08e7b0ff551d

          SHA256

          2dab190393d8ccf12d6177cb84d5a54b0e0e4ad5d0d56824d7f8cd4601689d58

          SHA512

          63035aeeb1751747dd16fa8d4cf6ed6c8e2252c09bebfd3c6fe175ab52f4427c826099354b61600130a640c5a5ad5146b9c514df077e9dc0e84e7860b1e46b61

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver64EF.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\pPJE9A4.bat
          Filesize

          188B

          MD5

          9b1d19b1a1ea0f78ab25f69737fabbff

          SHA1

          ebfa6446476d2b925932d0ff454d71021de7d75f

          SHA256

          8532facf921e91c64c97b17ad9507743fb2547a83cadecd47994d905a6b39973

          SHA512

          b2b374f155752cc9650b37e01b883df61070cb330e864fc82228fa5fc48d914241636069e68fa87ea4645c52f46c80393fc1145e074d9d7efad7cd4f91ea99be

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\pPJE9A4.tmp
          Filesize

          79KB

          MD5

          7fe5dbb10bb99f8e5751ad3eec09acb9

          SHA1

          f8f023034e8a0edcd3e12d1b88996a9ee5a1e508

          SHA256

          be34bc08f8eacd34ff2ed67584f88bcf95f07a34d11e72d7ca6921aa6cca3f87

          SHA512

          81e6e8ed7a624143fdd030074c89d447ed0f3eaa3eb7fa328c88a2fe82a9131be61b6453a408d1fc387619b1fdd74159709792cfcb4c454255052725062e2b71

          Download Submit