Overview

overview

7

Static

static

3

14b13791bd...18.exe

windows7-x64

7

14b13791bd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 04:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe

  • Size

    39KB

  • MD5

    14b13791bd771ba7fe966fe966445740

  • SHA1

    3d7207afb72f43963daf95b74214598755a91d8d

  • SHA256

    0582e9cafdc5fcaec37ca1f1127081d3f44262bfdcfe14febcc368d197efc761

  • SHA512

    5be0f3307d97bc2ea0c3d8297c9d3f8e3e1954697b1348b6173105f4e7d978b57a80ddc4e13c7a025177d318e698553d094060a2bde2705a1f3cb50728c9a82e

  • SSDEEP

    768:NCdtjTDBX2Xqte+vXwA3RMLTnmjhNOVwCYur/2d:NCdt9GNiwA3iej2VwhEu

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Local\Temp\14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
        "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\14b13791bd771ba7fe966fe966445740_JaffaCakes118.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
          "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe
            "C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe" "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
            5⤵
              PID:3764
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4560

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
              Filesize

              39KB

              MD5

              a1bffcb96a227678e2af9c2471ec024e

              SHA1

              663a5803bfa6b83653601637a23f82568d332220

              SHA256

              d4aec4fc72cfcfed72a21420ab2a208b1f5b7eb5fd5043196d02f84d9b91275b

              SHA512

              8a819e2c088ec677b7adc3182810662dbee82f9c845650119e2e2fb40098876559e20a2f40951a8f76773d2ef9c9a25e0f97f2a0205eb7058e0cda44a2377a0d

              Download Submit

            • memory/812-0-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/812-2-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/812-12-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/2528-19-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download