Overview

overview

7

Static

static

3

1a840a3c70...18.exe

windows7-x64

7

1a840a3c70...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 07:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe

  • Size

    267KB

  • MD5

    1a840a3c705ef55e0ed6262ac41d516a

  • SHA1

    ab570527a9f49389c6aa4ac4b55249eaa86b1cca

  • SHA256

    9d086957c0c5144e230854368a6b0eee11256b3797e194197b35cbfc91ffe825

  • SHA512

    62088596d2f3ad6a85abb0a71ca7571e2c88a9c65bccfa1065cfbe6c1783cf2850e102b7864789962a607167b10bebb1c6c37a95b5eb173f3cb5f079028c64d1

  • SSDEEP

    3072:kxvypKnQxFIsBEs6ijRj7v5tAvSNZHd0VYclOL2ZPhwo1XrwFEP4h:GU0sX5LtGSNaYc3Z1XrwFEP4h

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" "C:\Windows\system32\world2.html"
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4628
    • C:\Windows\SysWOW64\3..exe
      "C:\Windows\system32\3..exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\3..exe
        StubPath
        3⤵
        • Executes dropped EXE
        PID:624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 480
          4⤵
          • Program crash
          PID:3036
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 624 -ip 624
    1⤵
      PID:3532
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3236,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
      1⤵
        PID:2728

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\3..exe
              Filesize

              10KB

              MD5

              fef48b2345e8030fd734145721fa5f98

              SHA1

              4259e9fce66621889909833ad9d07fa29ec91135

              SHA256

              5ff8b971dfdcf93c673b8f0f76012de35d0a2ac11bda1ff3480d979efbc55ac6

              SHA512

              5c191c892f0a771902fcf9b593fae78499a8cb21c655867a3c6bbb3faf5caf466d705ec5fd8ce1d17625083dea9ce0da1feff01caeb4320df04a0038f724055a

              Download Submit

            • C:\Windows\SysWOW64\world2.html
              Filesize

              151B

              MD5

              c2c9349012ee49ec51945f5b2aa45935

              SHA1

              37e4651e12ce98c0e76bf727addf78b245830a72

              SHA256

              eb40c81ecb4d8eeb4c9810f834b7c3583c21388865f5290a9f5993021ca80a64

              SHA512

              1947544bccd6b6d2419db8cab17bf356e5e398fd93e8913ffb84ed90bed47370a8dc99d97f4d2e12957b25ef4bd7e4973c91b7238a98fbc79121f3fb7469c072

              Download Submit

            • memory/624-13-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/624-15-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1068-10-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1068-12-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1688-8-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download