Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 08:05

General

  • Target

    114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe

  • Size

    448KB

  • MD5

    114a2cbd4baa8f99839403dfdfa970a3

  • SHA1

    cf12815ccd4d9bcfcd2e295e6f84bb97692b8a0a

  • SHA256

    f92beb2a4d338f69c1d6e5248ba6384e7c1dfc31a7f5f485c1ef5d2a71538720

  • SHA512

    0bc01d6061b4aeb4631e08a21e101779f50c964d86aa469485e7f100d3efda906190a04cde99daac5c69b9a73ed399fac7a551ed21337e7575e19d623fa67839

  • SSDEEP

    12288:WyFthhLwcD96lU5JFDqYQ/IeTLHQBLfgmFg:Wy7hNwJlU3F9H

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\nod816.bat
      2⤵
        PID:4604
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\mssoft.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im qq.exe /t
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2536
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3644,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
      1⤵
        PID:2316
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\nod816.bat" "
          2⤵
            PID:1816

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          b9b9f42ce6d2b20bf169d05480d239d4

          SHA1

          32b094cc2ff79f07fcd68d585846b919bc350e4d

          SHA256

          4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4

          SHA512

          36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          c146dedfc5f3150f85d6a3c3d8578f12

          SHA1

          f4bbe6738ceec0d0ea01f7d259c8d812e7d44230

          SHA256

          0397b7a212674b4b75f1c94ee0e6eae8a38da894d2b91dd7425544f4d0952f0b

          SHA512

          90d36d369a14ad5f98e5ba08875a8c6cc71aca03b0857a26a9caccc719d3b0f4bde7ed0a366dd30a9a2f54a4ddee8934770ca5607ac053c4b717bacf2b2aca5f

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hbgcal3\imagestore.dat

          Filesize

          5KB

          MD5

          9f1f214c16ae092065c5a1596033d25d

          SHA1

          654ae7c44a31f27b0ab6653764533f15e57733a5

          SHA256

          5296612f7fe8745dda58d4bb565cd8a6e004ddd6035392c5481625788bc48b62

          SHA512

          f9bfd9c544a5d91681db7b8f0d513de3d2c0e5dae7fa033dc53c591b0a5fd18f87e4439036328a85a639c2c61e8599c544d1bc61edb221dcdcb5e5f8ab939c68

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\favicon[1].ico

          Filesize

          5KB

          MD5

          f3418a443e7d841097c714d69ec4bcb8

          SHA1

          49263695f6b0cdd72f45cf1b775e660fdc36c606

          SHA256

          6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

          SHA512

          82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Windows\mssoft.bat

          Filesize

          25B

          MD5

          3d7c7b33e3c17d8a0ff01e4647ba538b

          SHA1

          1c6f75ddb631093d3f6563d00eb0e0b959779e38

          SHA256

          f2b5fcb625c6d60c62be2d371d45910506c4a650e6e1a994d0f284740d764c8e

          SHA512

          9ac3b3359c342f8d1d5c7b31abbe5a3797b1d642e907d3c1e8706dc632ac1d9215c4eeaeed454e552217a44cac6e71a3c6bbdb670f0df5450922777bf3b84a15

        • C:\Windows\rxing.bat

          Filesize

          18.2MB

          MD5

          de9b364971e516df97025c91f56a52b7

          SHA1

          f2d0b2dc72cebc45855ba1ef830bdeda81bccf31

          SHA256

          55cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f

          SHA512

          9777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d

        • C:\nod816.bat

          Filesize

          374B

          MD5

          c9c561c8d6c771461a8ffa1adfab82a1

          SHA1

          ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d

          SHA256

          fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077

          SHA512

          1591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712

        • memory/2520-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

          Filesize

          8KB

        • memory/2520-0-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/2520-12-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/2520-61-0x00000000001C0000-0x00000000001C2000-memory.dmp

          Filesize

          8KB