Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 21:10

General

  • Target

    366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    366525c0bb1391e1642d3904f6d2565d

  • SHA1

    da28048168cbd59b82406fc911d488c9ee9ee3c3

  • SHA256

    41c2c0740c7821f19b8d3f492ef37d6f3572386f8f2f8acba7aefb2dae055c48

  • SHA512

    0bcc3b3f8664c52918df410702d71c2044e5bd051a42e7ed4763b26f4b6fac046e6fa889d0fd405eb1a2a9f76565eb3ce50ea5f30b3d680c30fd35414a0dd295

  • SSDEEP

    6144:ZrrXI/3JJYHyxyIuEA4aZM9DRruwcu3zCCvQe:FrXcvHVzKu3zCCvQe

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\xsqaox.exe
      "C:\Users\Admin\xsqaox.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xsqaox.exe

    Filesize

    264KB

    MD5

    299b6cbd0be1077638bc63831547247e

    SHA1

    e792851c6273f1b0e9ab22ccbadddb3b6fee1fa1

    SHA256

    323f4aa6ee3890d27606c174b8a585a5155b3b44122733aaa6044e166dff505a

    SHA512

    ea4085d7b13a98e040bdac86db0ff8191ce371e537a7279b7ec62759684b6d04cfedbcaf2eaab9cf2304933d7719f69fa12b5f463f02f8a994554a1bcb8d60de

  • memory/760-33-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/760-38-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4960-0-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4960-37-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB