Overview

overview

7

Static

static

3

3ba949a0ea...18.exe

windows7-x64

7

3ba949a0ea...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ba949a0ea07a21574c8c19aa2a98185_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    3ba949a0ea07a21574c8c19aa2a98185

  • SHA1

    6858d3b67e2ebb5b0054adc10ec26716a6561eee

  • SHA256

    8c5c52172fa3fa71809a12be5ecce077b8683741db6e45cfa21274e31a934255

  • SHA512

    c53fb962d10e237f6c06399141396b0b136c01a639ef6b39d1569b5eab0207eda1e4be07ea82672bd3bc76a94e402cbe15d096b37e3d9f131703199f7d5e10eb

  • SSDEEP

    49152:C0R7+Ac0qQEtZkCkg303WlcIxnZg01o32:C0C0qxtZkCk00mpxZgUo32

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ba949a0ea07a21574c8c19aa2a98185_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ba949a0ea07a21574c8c19aa2a98185_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\34pgr6a.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4308
    • C:\Users\Admin\AppData\Roaming\isass.exe
      "C:\Users\Admin\AppData\Roaming\isass.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c setup.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Roaming\isass.exe \"" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Roaming\isass.exe \"" /f
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:4924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4801.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AF6HG05X\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.bat
    Filesize

    145B

    MD5

    09b39ac5213820d74ff5b2e309021086

    SHA1

    cbc786e7c806db7f6e9bd02fdf18cb7c98ca512e

    SHA256

    4ebe83a1fe4896fd9481fe8d003e3436fb58410b3016c9dd715c57348c981b2d

    SHA512

    c30d5165f3c21a31a37b128e499f788265d64227b94107d95ae1f0fdc737db143e5094cf75dda13cbedbab8e06a88e5d9ecae04fc134f39350a4e0efe860a44f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\34pgr6a.gif
    Filesize

    1.3MB

    MD5

    435f0281ff745d3409a946fc47b9f325

    SHA1

    3ad3b02450602dedf47601cc05de0c0c4c9751d8

    SHA256

    d809497e22e5efd7367be8dd07305e32abb35493aa172905da8f0b301fe5ab16

    SHA512

    5ffc648ca71c1617ba19942897ed01e2992c0c59634ce781c1d435745be66c62561bafaaaabdbe28c4e184cfdf23a6ed6d071bed27cf07d92160dae1a41d9dc3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\isass.exe
    Filesize

    245KB

    MD5

    28f532278f2f5e3fe97f66b4a8cc14a6

    SHA1

    c221f34a188778bc45a4b2dd6f10ca7bdea20169

    SHA256

    f7cbbd078ec53067bdb818a40fa62c26e5b8ba343be5168222638b67fd05c553

    SHA512

    faaa60b839cc5c80f651ba085b1dfb773ea4088a8b51321e75a1e1850c4e79224af842c9128f2f785c1dabaa279089c282fde545c3b441937209899db2ef684f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ntldr.dll
    Filesize

    386KB

    MD5

    f9df718f7508506e9ebdda7a2ea5dd5c

    SHA1

    6a17c548ba8487e340d67dccb95b4b185cd470bd

    SHA256

    8ad40127b256406070ebc5effac5186590b890d8cc79d1a923f0dd3c701b0490

    SHA512

    1c2f1ba6973c2cf589e27ed0b1de18f3cfe1dedea681ea667ac71b351a4ee29c78395f3826341b67ce983f8c16838c7bc8f02fa402fa0cc0077aa7bf1e947421

    Download Submit

  • memory/2204-15-0x0000000000400000-0x000000000061E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4016-19-0x0000000002200000-0x0000000002265000-memory.dmp

    Filesize

    404KB

    Download

  • memory/4016-26-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4016-27-0x0000000002200000-0x0000000002265000-memory.dmp

    Filesize

    404KB

    Download

  • memory/4016-64-0x0000000002200000-0x0000000002265000-memory.dmp

    Filesize

    404KB

    Download