Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 13:48

General

  • Target

    1b896a595788018fc0393e612a6957de_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    1b896a595788018fc0393e612a6957de

  • SHA1

    5453bcb34903b0b36904e900569738dd90624698

  • SHA256

    a8ec0e90fbce2db4559af4178aeea8c6a4df7311e4e56baf3ac963100276838e

  • SHA512

    5155a7484bc379f361355ede3d9989698c842b806edf2262944fc38e70768a687d8cbc0066621e18300cf2e1c9d8c77fc7d45975fadc3764ca46a0f214863af5

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYuoi:hDXWipuE+K3/SSHgxmBi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\DEM4621.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4621.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Users\Admin\AppData\Local\Temp\DEM4968.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4968.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3144
              • C:\Users\Admin\AppData\Local\Temp\DEMF603.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF603.exe"
                7⤵
                • Executes dropped EXE
                PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4621.exe

    Filesize

    14KB

    MD5

    8f6c8b4b4777919c1620029882da9ca5

    SHA1

    aaf3e8d5f01ed7482978e243c931823dc1b9683a

    SHA256

    ed9077b3facb63becac7e943ef46f15815a1dca612bbf5961133e930ff9a074e

    SHA512

    f4b189d06a89ff587b8083df113fc433b69ccffc8e67875391fd69f3d40e1e8636db23ad35ff0a88006357f8802a3c22e10298e5c4cf9819a116bfd78712011c

  • C:\Users\Admin\AppData\Local\Temp\DEM4968.exe

    Filesize

    14KB

    MD5

    6fa5d326410003d92ebc692c46e0bbe9

    SHA1

    2327e4f3cd976a247eec842ff737dfb30ec2083e

    SHA256

    7a85e81f33807b55ce3c930615c04a23292475492b50df8e889c161e686e5d38

    SHA512

    d563390ff2fcf20c1348ae5ff0c453e0108f9e407f1bfa512415ecc3bec110e485cac8925ad456c2f9ef33388162c97dc2e88214ef09008d1683c259144c8869

  • C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe

    Filesize

    14KB

    MD5

    6448ea9856d8cdb2ab765ed48c085c79

    SHA1

    897d8a89922688d11ab064f794d4b211e99c5938

    SHA256

    a518275a98ca295d9fcd30a944545ffebbee20be9169c66d8e56c58b7ca99727

    SHA512

    98a2f360232608a64f05e50a6fd538bde910a1d7a324a4ad8f05daca150621f95dcdb59927ee8a2d3ab2a39bcd12821648652443f2935434dae32f37bf0830bc

  • C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe

    Filesize

    14KB

    MD5

    407b79ed5ba66c561170a0b5a2ac1953

    SHA1

    e6107327f3f10c427da31ae5fffb26915eaf7ab8

    SHA256

    c98deeff5149b3759954f90d5603c9664cb598ec624b00120fc915dd16c1261a

    SHA512

    1dced237bb8c8ef67f4402a9a660bf8531bd4cd82805c8d141edb2263d1ec455cb02d63252790d1d34a95fd651b377e68f2ea393d88b9a06f6d32196abe646fd

  • C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe

    Filesize

    14KB

    MD5

    c5583b231c4fa106c948926538cf2b36

    SHA1

    e6fbd8f53a155f1a7e83c2ed0210c843683e956f

    SHA256

    5315363229d9f3af7398a7f7b253339a5a8937a98c87b6328b984c0701014d32

    SHA512

    8d4d07f447af7c8d4f495bc6543952fcabd026e71906ff0b31dad7a541aff9b1c37a62fedd63e45e0c478701074d9d044e8a493dd07fb510215aec8f4d0d1fb9

  • C:\Users\Admin\AppData\Local\Temp\DEMF603.exe

    Filesize

    14KB

    MD5

    1bb067b7f7b924718096c183d0ff2b9c

    SHA1

    a39b565f40564959f50779cf0922dcbf86654619

    SHA256

    35ef0a880feee5e85475167abb082db902301991aba192924bca8f69cb526b50

    SHA512

    f980e97b3085529464d6a2ae5374c244c665d33a408046945f2aee4ab1f5159559f2aa93fe8c91ca9732ff8cb1ab573edb0e8f2c4489419cefbdaf97b8c8af24