Overview

overview

7

Static

static

5

3294eed3b9...18.exe

windows7-x64

7

3294eed3b9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3294eed3b9b1505d9c8e37ae990f6ddf_JaffaCakes118.exe

  • Size

    614KB

  • MD5

    3294eed3b9b1505d9c8e37ae990f6ddf

  • SHA1

    65d988638bf65b273f99f603d2beac3cf2270032

  • SHA256

    2d027c212df0e6ed79e6ba61bee72abc855308b14189a2c48c7cc1f2c1964381

  • SHA512

    fb45bdddb77fd4e47249282008aa35b1f1411f5d4b60dbc112a27a962448fa553c6db8545b9ec913a387d86faab81bf023d8ba48f4dd08f6b57d9cafd1fb108a

  • SSDEEP

    12288:oaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQYn:/adMv6CYrjqnyLQ+

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 12 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3294eed3b9b1505d9c8e37ae990f6ddf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3294eed3b9b1505d9c8e37ae990f6ddf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.n"
      2⤵
      • Checks computer location settings
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\3294eed3b9b1505d9c8e37ae990f6ddf_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 4 127.1
        3⤵
        • Runs ping.exe
        PID:456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VRLMADU3\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\monitor.n
    Filesize

    7KB

    MD5

    a4bf7f9ba9b3e741c3054dfa0b5325ee

    SHA1

    2d5810b2d46596b4bbd04b565806ea7ec99d9116

    SHA256

    72f10825026c2f8fa14aaaae7a3919f96c56e6e4d2fe650b0268efe3a9b0469f

    SHA512

    b7853a9e9f451ad96f4421cb8c5dd8847813a568dc056c309a4296cbf4de05eeead66236001eea0125cb7a6fa7c1baf5555221fa5d0b76e13e4698504e592eef

    Download Submit

  • C:\Users\Public\Desktop\Internet Explorer.lnk
    Filesize

    1KB

    MD5

    057041a0e4f08fb51274f105722e9976

    SHA1

    5909d0aad132972886847a263c941919f6aa79e2

    SHA256

    8dcd711b2bae2513d098e2751fb1bf54af37d9aa64da647f407bdabe721ab0a7

    SHA512

    6abb48406bbb420c89db404bb2dffc3947993edbf2c7d7f70c31b23c93f492bb811d1edec6179af693720bb7ebe0186132fee61a6e766ae9b16e1e603cad8dc8

    Download Submit