Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
12-07-2024 23:46
General
-
Target
3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
-
Size
92KB
-
MD5
3f595b1921a904b90529846fa57a4190
-
SHA1
b17f21d4cc0d9c21418e5b25da3029425fd0126c
-
SHA256
32d262678e6d4dfc8d1c7e526054cee75a36a874bd8bc9b9f6e657f68ec8f1ea
-
SHA512
6fec913d6d8dee3c1fd01f11b5d399f43013e8582c82e3e6cc55e6069ad24f1b47b2e3e6d9e1ddc6b21a947aaa817f18af35adb6d3ad0a1159bf2df27d7cdb7b
-
SSDEEP
1536:VdyDm3xH/6TpJ7hrpmkhucjmzjHHqXojhbZLF96lotSoDTRnwvpw:/M8xHSPxg/jqXoN1WldcBUw
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 39 IoCs
-
Identifies Wine through registry keys 2 TTPs 21 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of SetThreadContext 20 IoCs
-
Drops file in Windows directory 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"13⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"15⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"17⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"19⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"21⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"23⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"25⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"27⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"29⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"31⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"33⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"35⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"37⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\windows\qeijdsfhst.exe"C:\windows\qeijdsfhst.exe"39⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\qeijdsfhst.exeC:\windows\qeijdsfhst.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\appdata\local\qeijdsfhst.exe"C:\Users\Admin\appdata\local\qeijdsfhst.exe"41⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\appdata\local\qeijdsfhst.exeC:\Users\Admin\appdata\local\qeijdsfhst.exe42⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD53f595b1921a904b90529846fa57a4190
SHA1b17f21d4cc0d9c21418e5b25da3029425fd0126c
SHA25632d262678e6d4dfc8d1c7e526054cee75a36a874bd8bc9b9f6e657f68ec8f1ea
SHA5126fec913d6d8dee3c1fd01f11b5d399f43013e8582c82e3e6cc55e6069ad24f1b47b2e3e6d9e1ddc6b21a947aaa817f18af35adb6d3ad0a1159bf2df27d7cdb7b
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB