Overview

overview

10

Static

static

3

23361cb385...18.exe

windows7-x64

10

23361cb385...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 17:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    23361cb3857cd34301fd0659ae6e816c_JaffaCakes118.exe

  • Size

    212KB

  • MD5

    23361cb3857cd34301fd0659ae6e816c

  • SHA1

    7c7223688e5c32ef1bfc2ce2cd89642139fe5494

  • SHA256

    0e689c280ee512a558ded89a9bdb4ed8a7aadd5fad3b88b0ecb471ce919a8d03

  • SHA512

    fab17e6b6e04e1b23c551ca5be4a68f54f498405cce883f3dc6930690626ff6bb1c94d205244fe31b9bf20154a4c9ecf83704442cc7133633b3ebd984b024c9c

  • SSDEEP

    6144:ICKTFwzWQfO8J0bqihew3b7KvfCBnn78MDxG6oRKnvmb7/D26NhHmpfXJNRe:XKTFwO8J0egew3bevfY78MDxG6oRKnvd

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23361cb3857cd34301fd0659ae6e816c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\23361cb3857cd34301fd0659ae6e816c_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\jiiifet.exe
      "C:\Users\Admin\jiiifet.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4344

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\jiiifet.exe
          Filesize

          212KB

          MD5

          6dbce89bada1a44dbc27beb296e002af

          SHA1

          250d7f433f4ff681d4312047fcff460925bbe9de

          SHA256

          2cac403623f7465ab9e74915891f1c470f0f2a68982480c9afea8c2a90292b24

          SHA512

          9d611be1f1e06557c423847b7c819fa6336f1285378896afac4584672ec5489336842709939ac3e8e133a118835102f0584c57fe32202ec4b5f1433395f35f26

          Download Submit