Overview

overview

7

Static

static

3

0f7f045e72...18.exe

windows7-x64

7

0f7f045e72...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f7f045e724f914800551f3761e5fe98_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    0f7f045e724f914800551f3761e5fe98

  • SHA1

    8f4be014d7b9f50d674ea10d54b5b39b8726f073

  • SHA256

    bbbca3e9a08af94f0970b2ef175ba180d40e903a46591ae7ffbecfacb187e6d6

  • SHA512

    159156c25d40b1afbd925ab27369dea6def3f31e1d2af58cd784238b08dd6273c445d0736e3c54a2e748cd63bf9ab5954d68c188681297fde7def4e99c60600b

  • SSDEEP

    3072:/eM2X9HjyffpPBXpjYwCmCn8X0lJw+D6TiKceOmVUPduh0kUp6BYJLlROocGsDa2:/AH2n19pEwCp8IRj7PI0MBYPchGFLd6

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\0f7f045e724f914800551f3761e5fe98_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\0f7f045e724f914800551f3761e5fe98_JaffaCakes118.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Users\Admin\AppData\Local\Temp\HQm4602.exe
          "C:\Users\Admin\AppData\Local\Temp\HQm4602.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c start iexplore -embedding
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4392
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1752
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1692
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RjP4640.bat"
            4⤵
              PID:4028
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 524
              4⤵
              • Program crash
              PID:1316
          • C:\Users\Admin\AppData\Local\Temp\HQm6090.exe
            "C:\Users\Admin\AppData\Local\Temp\HQm6090.exe"
            3⤵
            • Executes dropped EXE
            PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3028 -ip 3028
        1⤵
          PID:5116

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          b9b9f42ce6d2b20bf169d05480d239d4

          SHA1

          32b094cc2ff79f07fcd68d585846b919bc350e4d

          SHA256

          4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4

          SHA512

          36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          e5ffe198986d20ea31ed24e1ebc92ef1

          SHA1

          396cc32430c6dfb9c84a5ecda3e6905830020d63

          SHA256

          c39771683d890d5e0f7a09f2119bbb35014b03cdadd87612321a93ab1ae07659

          SHA512

          7a48f130b2641c199b1a14c9440c8aaeea550c89141ccbf9b2242cbcb67dbdd6d48f1cc37dc77cdea7656e9d273d5a77708098e06b84e4d18b715bfd1893aaf8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC39E.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HQm4602.exe
          Filesize

          88KB

          MD5

          37f6eea09ba76811c1ee94f87e20e15f

          SHA1

          b62f5368f697ba3325d73a9ce9df29d41f94cfd1

          SHA256

          aa271a24d6637f52657f503d602414fe0d7fcf85b130d351eced71a26e7ff53f

          SHA512

          e7fc57eef3dd2efdacb8e74169e2c3865997558e53fe54bf259ecb6c8443f058d7393d5afcea658b825f8fe424dfbc62ba2b536bd622f8925dfbde4da3a01246

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HQm6090.exe
          Filesize

          87KB

          MD5

          7755b2fa69fd2238bc11b29c597a6b3f

          SHA1

          4a150201a413cf63eef2e3645d036b71045b3666

          SHA256

          ae213a13d616a1d700efa916478aa3819812e4d70a3b089ca1ccbb0c5c3eac51

          SHA512

          c0778351deb20ab6248239d0e3a7a9cee22a6cffe24f7ba5d4ae3cd52cecc96f7c074c777a184db19e8333fa0b30031e250dd975d36fb5abc92aae4a25bc32b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RjP4640.bat
          Filesize

          188B

          MD5

          82112911283e0e6d98c41e15b1c4b22d

          SHA1

          b6b445264670659f5a3fa2ada2b7ad60890af5f9

          SHA256

          2922627feda1ba0cf87168f9df40af08c4a623d990b108042fc447c80b5a52f1

          SHA512

          ce29468850f9af8caa5d543ea52c0d7d78f34e379bcd00030c38e543ff7a308373df22a30b10ad978ecda3d24b93e86d818a3f355bf00d5b4c49a60b51e5eab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RjP4640.tmp
          Filesize

          64KB

          MD5

          ecb98f4c5ed82ba1bc0a682065d5c8f4

          SHA1

          4c231bd12a2b663cbbfc0307a233d8fc10db7a5e

          SHA256

          e365eb5e634d6bbd5549b21870b091205676a52aade15f31c8d4a62516207577

          SHA512

          09dbbc47b35f77e3e650900472b030a70c4cc9097e718dd026654e50e43eac60495a3078bff644e14784353c0ea6a60cf87425d56bdfe12c819da6a2d4705a2e

          Download Submit

        • memory/3536-12-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4748-21-0x00000000009F0000-0x0000000000A08000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4748-22-0x00000000009F0000-0x0000000000A08000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4748-23-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

          Download