Overview

overview

7

Static

static

3

1b80613ac0...18.exe

windows7-x64

7

1b80613ac0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe

  • Size

    128KB

  • MD5

    1b80613ac090d4eecfdd6554d4290b7b

  • SHA1

    52ee1d680eb6394897e5854027f2eadc76acba2e

  • SHA256

    f7f8376c3a4289f5ba02262cad0889c8f8572b0dac37226e37e71132a20ed825

  • SHA512

    c2399e167628b579addfea8250ea63475f70bafc51c2bca4d0bc4fe2d82e7623ac008e1121f805a3a082ca8d4db4286450cfe61abc7d7f43cb1c84a0bf834d95

  • SSDEEP

    3072:5zrl/nonoroxGDi73tCg3qilL42wA52jOMkrc0:5zrl/nonoroxGDFg3qilL42IjOPrD

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
        "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
          "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3956
          • C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe
            "C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe" "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\1b80613ac090d4eecfdd6554d4290b7b_JaffaCakes118.exe
            5⤵
              PID:2292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
      Filesize

      128KB

      MD5

      8c25f39b3483461174896b6960b166fa

      SHA1

      3e40b0211222643212feb7d8223e7777084fddcf

      SHA256

      90737eec7b306401f3feeb17f25c70f0bcc8feac111469dc525c477a98fe9ff5

      SHA512

      58d85638c27cd5566ed16aeb9d2a71564f896632e9698c2699f589362a84133f222db76e142a4072f2aa59e2ad273d5d3b5e533876dbdd956e768cfab7fd749c

      Download Submit

    • memory/2852-0-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2852-2-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2852-19-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3956-21-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download