Overview

overview

7

Static

static

3

33aafe1a0a...18.exe

windows7-x64

7

33aafe1a0a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33aafe1a0a917c2371680d76d141d67c_JaffaCakes118.exe

  • Size

    65KB

  • MD5

    33aafe1a0a917c2371680d76d141d67c

  • SHA1

    7c41c9a948ec58214341d231bdbf77cddaf8c7db

  • SHA256

    91d1491ab1a5aacb13571273a8c24883f474289b1c082bfdf6170e74fa7253cd

  • SHA512

    2c9c0d109c59bd035566fc4dcb7f845f3912b22287bbe312bd5f011cc48a8b6c8be0d09ecbb2b114240a76facaeae2a5c9566e9b08b64f2c39b0c1798b2c0079

  • SSDEEP

    1536:FIYbNcmmAKwiqcMyY93Bi9L2xtPj1dRuJd9V:GYbN5KKiN03uJB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33aafe1a0a917c2371680d76d141d67c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\33aafe1a0a917c2371680d76d141d67c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_xz_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Local\Temp\xzz9BA5.tmp
        C:\Users\Admin\AppData\Local\Temp\xzz9BA5.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\SysWOW64\clientex.exe
          "C:\Windows\system32\clientex.exe"
          4⤵
          • Executes dropped EXE
          PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Users\Admin\AppData\Local\Temp\inl95C8.tmp
        C:\Users\Admin\AppData\Local\Temp\inl95C8.tmp lsm-yiwetm.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl95C8.tmp > nul
          4⤵
            PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
          3⤵
          • Drops file in Windows directory
          PID:948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
          3⤵
          • Drops file in Windows directory
          PID:4248
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:348
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:348 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\33AAFE~1.EXE > nul
        2⤵
          PID:2936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lsm-yiwetm.tmp
        Filesize

        770B

        MD5

        38fa2d02e4dff6e43b967cce18d93403

        SHA1

        2ff885c783d6a7265e15732fb7ee6bedab28b1b8

        SHA256

        1ca07061059a6c50d2deac5f444900666f9b424ad01ee68ea359ffa44788b114

        SHA512

        bea28a57605172873831fd5f45afd0f09d536b053d9d08e039eb0d1cdae049f061b84d6fb032c0bb71766bf563742c93b6689ec843f7cbbbdc6945938cb3eb0e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
        Filesize

        60B

        MD5

        0631d9e866ea2cfc3957badf1040d449

        SHA1

        456f7c37f7d1b6decf40743f5b48fa6e3b9f4b97

        SHA256

        ff5c65f631ea1c63a3e81a17f0b905f4b60997390ff17ceb694fce139ca069f4

        SHA512

        e0961420c302c6b0b64299fba2f4c0b20148fbb2cfa86baec2dec42c6a366e9a6005bf63e5a22e68484c760157ce846fa641210513e1a52b433ad3cbac4830bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_xz_file.bat
        Filesize

        45B

        MD5

        96bb8c48a175cd36d4178d320e0efb1d

        SHA1

        783af4346db75a366ffe8f406ed2e0f757430e3e

        SHA256

        5b10e1d7e012b10bd53aa3ffa2d4ea365c261a34e43340f998054bad8717484d

        SHA512

        b9c0225e60f96eb20dd80bb1f724c39ec92d3470e60ccd232ff2b459891abd2af929c4ef5dc72001f294dcdf9eccf4e465f866de1fe2b3b4c219d2a210f327c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
        Filesize

        94B

        MD5

        d5fc3a9ec15a6302543438928c29e284

        SHA1

        fd4199e543f683a8830a88f8ac0d0f001952b506

        SHA256

        b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

        SHA512

        4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
        Filesize

        98B

        MD5

        8663de6fce9208b795dc913d1a6a3f5b

        SHA1

        882193f208cf012eaf22eeaa4fef3b67e7c67c15

        SHA256

        2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

        SHA512

        9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

        Download Submit

      • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
        Filesize

        154B

        MD5

        8d681a59ea75e91f730bd9ce3c42e514

        SHA1

        9d426029daeebf03c9053761e0e5a9f447f98e9c

        SHA256

        afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

        SHA512

        ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

        Download Submit

      • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
        Filesize

        155B

        MD5

        5a17106c27138df10448c2c3be95f399

        SHA1

        56acc2ed4fea4171127a13dcdee08bdd39d674d6

        SHA256

        c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

        SHA512

        1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

        Download Submit

      • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
        Filesize

        156B

        MD5

        8a275b261afcc166671132b6f03831e4

        SHA1

        03ac21edc1de2df748ee3a301a6b3de989c423c3

        SHA256

        0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

        SHA512

        269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

        Download Submit

      • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
        Filesize

        158B

        MD5

        d645085ab92574a2a17abd323415dde5

        SHA1

        49ebaa4499cacd9256f270f35f31684b7cd195b1

        SHA256

        41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

        SHA512

        a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

        Download Submit

      • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
        Filesize

        157B

        MD5

        993f72a439a3301caeb969c7faa7a8b9

        SHA1

        176244349a0463cd0fc38cad426d89dc3b055311

        SHA256

        b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

        SHA512

        c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

        Download Submit

      • C:\Windows\LOGS\DPX\setupact.log
        Filesize

        167KB

        MD5

        b26608fca436aa50e17b85942a242324

        SHA1

        ab8b473e3d7e822119bab0826bf90d4ab5ab420c

        SHA256

        d50f0340b5fab132ec17f8aa717d1255db8de54718269467206f9fc61f82b5fb

        SHA512

        0326fb1b4942bc902882f9d71e08dc6edd46037c88aff0c7c2026bbf6904fdf172d23c3dee81ea8afc046fb5e75a1e347a023f0aeaa06de1ef82c00fb816f160

        Download Submit

      • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
        Filesize

        443B

        MD5

        01f8b2509f3844f8c6e8e198555d3ffb

        SHA1

        55b531078457f8a5583180b018b178f5294f6fcf

        SHA256

        ab9b1350f19e5c3bcec4b6302ea996a20b07db71cc4f99d46d7b9314f208597e

        SHA512

        98b2e3198935d14a6730d9e1dd22dd9f1c6fc692d5052aef9cde84f6745bde36bec984ea7dca2ada001423416eb6c9eac670dada67fe19c9ccccda83c504bd5d

        Download Submit

      • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
        Filesize

        425B

        MD5

        da68bc3b7c3525670a04366bc55629f5

        SHA1

        15fda47ecfead7db8f7aee6ca7570138ba7f1b71

        SHA256

        73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

        SHA512

        6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

        Download Submit

      • memory/1468-99-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1468-85-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2528-41-0x0000000000400000-0x0000000000415000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2892-100-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3760-87-0x0000000000400000-0x0000000000406000-memory.dmp

        Filesize

        24KB

        Download