Overview

overview

7

Static

static

3

36e65384ec...18.exe

windows7-x64

7

36e65384ec...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36e65384ecca1d1f0e4f88e0be3a400b_JaffaCakes118.exe

  • Size

    778KB

  • MD5

    36e65384ecca1d1f0e4f88e0be3a400b

  • SHA1

    b4ab8bc4a59edc872e03312c35e70ea793e59b91

  • SHA256

    a0f0cbc0bd2377ee8a06f8774f537145f4e4fbe8d5bff8b136b064d2bd6b7b18

  • SHA512

    bb2aac9f949f9a004cac7408136422bcd819886fd60207dede9facf65c04f50581f07ebf55dcde83224a39750a89431c4539e6371278ccbc1e584d27b17b35b5

  • SSDEEP

    12288:1COSnclIgZQxVJ2p2AltRtphv7kO6KUqx2E9pAJDU44GLChfCZT:o8IJ28AltLpl7KypyU4pChaZT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36e65384ecca1d1f0e4f88e0be3a400b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36e65384ecca1d1f0e4f88e0be3a400b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
  • C:\Windows\heimao.exe
    C:\Windows\heimao.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:3852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.exe
      Filesize

      739KB

      MD5

      6c6799bd60d05224c2509a139350db72

      SHA1

      e1dac8ef09200e755985444953726def85978512

      SHA256

      b6330cfc0f65ea960a133f1a3eff8bb90bc38ce386f8473932804331743482f3

      SHA512

      ad380167952c2e60b8ea96ad1516561bb614d09dc33e086522b1078f10cf265ce874a90ecd7354dc743e12554e8628944526dff56236b62085e77381043e5e79

      Download Submit

    • memory/1168-13-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1168-19-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

      Download

    • memory/4460-0-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/4460-12-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/5116-18-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5116-20-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

      Download

    • memory/5116-22-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5116-25-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

      Download