Overview

overview

8

Static

static

3

24b0fc146a...18.exe

windows7-x64

8

24b0fc146a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    86s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24b0fc146a8243d7b084000975fdd515_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    24b0fc146a8243d7b084000975fdd515

  • SHA1

    5e4582694aa63d53b41848498edae98f9b5cdcac

  • SHA256

    d8ef46c5a86dc8ba10ea1fa6a88e41fed256f8d388be05254f4b0c3cfab92163

  • SHA512

    29fcf4fa0e7074eec6f10862c7eed5a48edb350bfd256c0003735f8123998d2d1cb466c54b7ddbd6587fe369c467e4d39a2090dace8169abb14a539cc980fb66

  • SSDEEP

    1536:Xkki0LRzoMPpIxFFAVCnSNz6lDEGa7n7AsV3Mqmbd1lo:Rik4x++Y37pmN5Lo

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24b0fc146a8243d7b084000975fdd515_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24b0fc146a8243d7b084000975fdd515_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\program files\internet explorer\iexplore.exe
      "C:\program files\internet explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\dfDelmlljy.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\dfDelmlljy.bat
    Filesize

    233B

    MD5

    1c034cd3313d3485bd25f803f14a2349

    SHA1

    8478dd39d4f3d823a31f276ee49fbb4340b2cc00

    SHA256

    25ced49de473e60983ccc06d8953660cebd8e9c91f8be377db31db80ad94b9ec

    SHA512

    f0b20a59c109d471c9cd29d0bdfed69b2149c6e67702d2ca18c478ce2984eb0f3a25f06645402c25c403cc063c204d934569415bf75995288a0923fa1771c6d5

    Download Submit