Overview

overview

10

Static

static

3

2190f2982f...18.exe

windows7-x64

10

2190f2982f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 07:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2190f2982f75bc0d3fbef2079dd39fa7_JaffaCakes118.exe

  • Size

    133KB

  • MD5

    2190f2982f75bc0d3fbef2079dd39fa7

  • SHA1

    2451992a1aed5f3217f5bbd2963235e45e0268bd

  • SHA256

    efa57ab8533c71a7bff28c0152f5b857d595905dc32cb4212a51647beb7b41d0

  • SHA512

    014b614e02790d17f328f14c869d2ed1a1167cdd93a4772643af71a9f32c1cc411d1cb1d668105e049efe13439689d086d3a4c51fdd7b0c93b331810f5896753

  • SSDEEP

    3072:osDho9RH8JOEFSAbKF7YaNrbmVtFV5kNihlyKlrDg2/O7v:5oBTVYaNryVLV5kQrfW

Score
10/10
adwareevasionstealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2190f2982f75bc0d3fbef2079dd39fa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2190f2982f75bc0d3fbef2079dd39fa7_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Checks computer location settings
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C 1.bat
      2⤵
        PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 660
        2⤵
        • Program crash
        PID:3852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 412 -ip 412
      1⤵
        PID:2480
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
        1⤵
          PID:3900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1.bat
          Filesize

          139B

          MD5

          a15d93363ce6d4fdcd1a4eadf0b7c836

          SHA1

          307672a275fe5244a2b4b74e78c659ecc7ccb8dc

          SHA256

          aec942bd619ba04549764efdafc3400e0db9ed18ee90aa87c83188cc82a0fd2f

          SHA512

          782e0b4c5efb5a2c90aaab5a7e6128643d02d5f5913e0275f1c98403478e04e8f5b794d2f6a848ac542ca59041aa901bebfaf91abb3f7a7764947f4302ac3875

          Download Submit

        • memory/412-0-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/412-1-0x0000000010000000-0x0000000010005000-memory.dmp

          Filesize

          20KB

          Download

        • memory/412-9-0x0000000010000000-0x0000000010005000-memory.dmp

          Filesize

          20KB

          Download

        • memory/412-8-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download