Overview

overview

7

Static

static

3

366774662c...18.exe

windows7-x64

7

366774662c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    366774662ccbe5b67de997b980c250f8

  • SHA1

    7602d334fe709c484d07011334a08801c70b4015

  • SHA256

    c2a4cd5a5e655f16ead7aebff8ada0a1e67cff54d4a1be1d07816cbf3aba5563

  • SHA512

    6b2098208a6af2bdced31a7a143d753b3f31b65cace33e3533da2b1ea1c06197d22a697934d62329fa5b12eeb876979198305f70ce46d7d57fcc429962d87208

  • SSDEEP

    49152:hPmzRUWcCvItro4EfcOPzePmzRUWcCvItro4Efc1PzqPN:hPmzRT14szePmzRT14VzqPN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt
      2⤵
        PID:2792
      • C:\Program Files\IIJFYP\thuder.exe
        "C:\Program Files\IIJFYP\thuder.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Program Files\IIJFYP\thuder.exe
          "C:\Program Files\IIJFYP\thuder.exe" 12345
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Program Files\IIJFYP\thuder.exe
            "C:\Program Files\IIJFYP\thuder.exe" 12345
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Program Files\IIJFYP\thuder.exe
              "C:\Program Files\IIJFYP\thuder.exe" 12345
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:4968
              • C:\Program Files\IIJFYP\thuder.exe
                "C:\Program Files\IIJFYP\thuder.exe" 12345
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of WriteProcessMemory
                PID:244
                • C:\Program Files\IIJFYP\thuder.exe
                  "C:\Program Files\IIJFYP\thuder.exe" 12345
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of WriteProcessMemory
                  PID:2044
                  • C:\Program Files\IIJFYP\thuder.exe
                    "C:\Program Files\IIJFYP\thuder.exe" 12345
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of WriteProcessMemory
                    PID:4424
                    • C:\Program Files\IIJFYP\thuder.exe
                      "C:\Program Files\IIJFYP\thuder.exe" 12345
                      9⤵
                      • Executes dropped EXE
                      PID:4024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt
      Filesize

      7KB

      MD5

      c96c8be3ef0884f3237c3e054ad7de0a

      SHA1

      2cc4f836ceaf5d2d7d70381f8fdb636a09c0ba6b

      SHA256

      27f45d03e0334b665ae03dc1d6fa3220e3ec35f64cb93b5f0589bb5c0f40896d

      SHA512

      a909dfab5146bd08c67ded7a83f00c7db26945fa3203cb35c2041f8c857a75c30533e9f4a4cda6ea14629c36d6c8f404c4c5eb19cd4a863f79544c92ed944601

      Download Submit

    • C:\Program Files\IIJFYP\ipc
      Filesize

      133B

      MD5

      314417833b0d327beccab7cb68cd4f7c

      SHA1

      f6bed9edc9ed8e9ff928194670f5ec3eda2763e3

      SHA256

      37ed866abc19465aa2172d651bbd3ffe2836add54ba3065ff7189f1a75410d9f

      SHA512

      c8645c0528d9b7309b2d6870f8250384654db64fc605667aabdc26d8429a1d03d3306a3082b22afff395d2e1669317dee96f9c6dd839ca440283cb2fe1a223ff

      Download Submit

    • C:\Program Files\IIJFYP\thuder.chm
      Filesize

      44B

      MD5

      3d318935b134cd593c7f1bffcd33cf7c

      SHA1

      b17f1aa31f21549301522c91ce62aa3ef5dcfbfe

      SHA256

      30e72fa5bf5971466907df1b86b42fb95f718b3e8e2995c084ac9921462f594a

      SHA512

      c1da00c13f2928bd434189f0b28b3c28190561113f20375259a16e06376ed5b464e316e1cc040ac04a841c84d198e66aeeea9d44dfa945faf542103a96e2bfb9

      Download Submit

    • C:\Program Files\IIJFYP\thuder.exe
      Filesize

      5.7MB

      MD5

      d0dc1521a5e01a77be3ddc598f7a4dc0

      SHA1

      8bd21d44a0d39347c968a83e567c0735f7f16884

      SHA256

      50b4f5ff89d4f4435e5b7a1c0160a103b79f36b1e041ea64df38b4a630675b91

      SHA512

      9c650a25ee04870cca20beaa9f97578b15d28754b3b2eaa8e9827459681cad524ce63a3acafec722ec73da1d974c5d52f1bbbcb2db6ad276b4d3538deb4e20d3

      Download Submit

    • C:\Program Files\IIJFYP\thuder0.txt
      Filesize

      10B

      MD5

      f4e47a838b81b7346e76811b5431f261

      SHA1

      eeeaf040d7d3a99249fe29d4dc787ebc8b4ab59b

      SHA256

      8882f36e2393a0a290a1610e204896695a2b5856d4e7bfb3bc7c7bebfbd468df

      SHA512

      e757f554be3e05f45f2adb0bb98ee7d6f71a80a198f340ff752544717a2ad0bdb59e80bc264b4d281ec1db4c982bd8ebc5afeb4602b07d63f498fcf21c70128d

      Download Submit

    • memory/244-71-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/244-62-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1268-19-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1268-14-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1268-20-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1268-30-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1268-21-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-81-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/2044-72-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/2172-32-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/2172-41-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4004-51-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4004-42-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4024-92-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4260-18-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4260-0-0x0000000000620000-0x0000000000621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4424-82-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4424-91-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4968-52-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/4968-61-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

      Download