Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 00:57

General

  • Target

    2417eb085a2594417b527277d69821ed_JaffaCakes118.exe

  • Size

    170KB

  • MD5

    2417eb085a2594417b527277d69821ed

  • SHA1

    f73bc1270f4e5cbb652de2efa1d589da50068ca3

  • SHA256

    54ee7bd35f6ad5466238fd9992f53bc5f49bcebb576a97a9cffa27abcf398201

  • SHA512

    e17ccea200bc73fc8b8b1bc9b502d329f6b72305772ac3cdd0bd3557e0e5a28f8551a9bc45ca9aa24aa6bdda964130a11395ec19861705ec5b573b1058379601

  • SSDEEP

    3072:bodbh52l7dg4hvhDOAOy8C8pJhVO6UghAsywoMR+2gwRRsgKt1UB3I/cyUZVezk:8Jh5UTvDOy8npZJLywoMjWgKcVDyUZVv

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies registry class 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\TEMP\324B.tmp
      C:\Windows\TEMP\324B.tmp
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\TEMP\324B.tmp > nul
        3⤵
          PID:50760
      • C:\Windows\TEMP\5B11.tmp
        C:\Windows\TEMP\5B11.tmp
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:50892
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 \\?\C:\Windows\system32\com7.qcc,dhoonwue
          3⤵
          • Loads dropped DLL
          PID:50944
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e576ef6.bat" "C:\Windows\TEMP\5B11.tmp""
          3⤵
            PID:11784
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e576300.bat" "C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe""
          2⤵
            PID:11240

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\0e576300.bat

                Filesize

                49B

                MD5

                1e78a79ffa37ddde81acda102e36b39f

                SHA1

                918c55e1dd318ab0039ea07f3f824cecb20c85b7

                SHA256

                3178e2677e07e03c39fe6c1bad769d1ed163cb043e5364a519be7a5349e080a8

                SHA512

                d0d1c6157d64ff910ca4cc5b48992755ffe4ea27c04eec5441097df6998a22e1f578f3a8a990df7b4e20c77c91246472da45e91a01af4123945e47c60773e73c

              • C:\Windows\SysWOW64\com7.qcc

                Filesize

                129KB

                MD5

                b282a717f45be7d9c1b3efcc05209a43

                SHA1

                802c0210436591c78b52a57961c23adc9bab1747

                SHA256

                e80b4b6e5a871ea3773f482ff06cbdbd20bef5d74e7db80b7afbc37d35b2ca53

                SHA512

                c446eb0a9c61bb39ae537ad8cc1730d29274e8618ebe6c79684fa5d04635c739ee4c545b590154c4aa60864867af2ef6931c403dce1dd9b0671640149e5341be

              • C:\Windows\Temp\324B.tmp

                Filesize

                84KB

                MD5

                b255e577b30f349d171caf8bc5046766

                SHA1

                f9c680b736a495bb271a5ef45952ea94e765c690

                SHA256

                eb36f59b0bbf219b3c1b8971646a044c78a7ecfe31bbba5b54e30c7194ef4c98

                SHA512

                0602f58118a82b42bb27fc734db2131ba17db286f8889d90852ffac0a10e03ec79ffdfccb615b11b02c22e91b03e30f48ec3c8b1ca38fcb4124e65b4bc6a25ee

              • C:\Windows\Temp\5B11.tmp

                Filesize

                141KB

                MD5

                cf664d25f2af800a188e6d392028d350

                SHA1

                a2c80f30d4114cf1f4aec1fd65214b0dd5ca9bf4

                SHA256

                947d021283f080efa75651d39fcf532ee80773a6182d87f7d2bb44b27ceb4c46

                SHA512

                167f061447b1496ffa7e7fc1fd257c850e62062d57f889143e777d5f3bb3495668494ce71cb6d70e1255009ea72a6ce4f84ca21e1ef48a2c79a985278b912d07

              • C:\Windows\menaa1.dll

                Filesize

                64KB

                MD5

                f088b680d1147fe2e1a408ac94fb073f

                SHA1

                88b01fa09aa0a1b55f818e9a6c461e45736eafaf

                SHA256

                d2f571fc73c3c81d12d7bfdf7193d0699d6148d692c66a3ccfe77e4b400101b9

                SHA512

                7f39dc465ae0db417988fd37be87842b929be42b5a6fdab19c0a6441cccdd0db084344e2c16d5112cd6277a78e331a72c71899361f778b8b6b7ac7965ac3781d

              • memory/1108-9-0x0000000010000000-0x000000001002D000-memory.dmp

                Filesize

                180KB

              • memory/1556-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/1556-13841-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/1556-13852-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/50944-13847-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13842-0x0000000075A10000-0x0000000075A11000-memory.dmp

                Filesize

                4KB

              • memory/50944-13848-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13844-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13846-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13849-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13843-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13845-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13856-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13857-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13858-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13862-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13861-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13860-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB

              • memory/50944-13859-0x00000000759F0000-0x0000000075AE0000-memory.dmp

                Filesize

                960KB