Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10/07/2024, 18:31
General
-
Target
35e33bb27519b401fcb476114b53545a_JaffaCakes118.exe
-
Size
10.1MB
-
MD5
35e33bb27519b401fcb476114b53545a
-
SHA1
37a4c1fa21b6507e8f3d1b1a290efc91b98a5770
-
SHA256
d0429c9b3ec2c80fff2e77d8398d6497759c79bc864eae4b7172057ad0982585
-
SHA512
290090ff12481b573009c085dbe4848a777254f73edf55bc385c1a04ffbd192ff22298c9f14f58707f31615cc57aab7035a836b93bf2766c94abef461e402dff
-
SSDEEP
98304:/bI/3Hp22yGRXx7skk8ESkjLhTFiVVs+K:/s/522xXx7skk8FkpTFgs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e33bb27519b401fcb476114b53545a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\35e33bb27519b401fcb476114b53545a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\go.bat" "2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\progra~1\gbplugin /G everyone:F3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\progra~1\gbplugin\* /G guest:F3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram C:\windows\system\Plugin.exe RPCCC2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD547f61f21deb81f981340e1e452480900
SHA1542ae5ca2819ab270562103964ba4af9aad705ad
SHA256f2e34e72f79cbe65e989bbfa52f1fe1e90dbfac74ee0efc2061593d2e094de66
SHA512071e0488b033bf71caeb6c511e0e6e288ff8585e98d226e0e94d7f5269005cabd5072ec16d47e0b3908fdd074286160b7831186941bf08151348bd2e33a5b87c
-
Filesize
10.1MB
MD535e33bb27519b401fcb476114b53545a
SHA137a4c1fa21b6507e8f3d1b1a290efc91b98a5770
SHA256d0429c9b3ec2c80fff2e77d8398d6497759c79bc864eae4b7172057ad0982585
SHA512290090ff12481b573009c085dbe4848a777254f73edf55bc385c1a04ffbd192ff22298c9f14f58707f31615cc57aab7035a836b93bf2766c94abef461e402dff
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB