Overview

overview

10

Static

static

3

42879db12b...18.exe

windows7-x64

10

42879db12b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42879db12b839f46600c06e20e47b663_JaffaCakes118.exe

  • Size

    281KB

  • MD5

    42879db12b839f46600c06e20e47b663

  • SHA1

    7aa3fda5befb459fc89826f82d1e90d79f9f3b6d

  • SHA256

    2b0574590fc66fb7cc5aa9c10cbbb05003a0f268f4b7858ce0fbc659dfa05d84

  • SHA512

    12f6e4974100901ba19c4bcff52a7fa2b53f696f335d0ceeff06f6f41b22f5bf9813b37a4eb4f1115ad0983dd61956aea11c9b1397912f6fe1efb97196987f7d

  • SSDEEP

    3072:gvVteka8+OtAcKlSRz5THoWGxF8AjJkvZniI274Ym17Iy9vu8np2Ai:SVTarW9Q2dMHjWhS4fz9Nphi

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.byethost12.com
  • Port:
    21
  • Username:
    b12_8082975
  • Password:
    951753zx

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42879db12b839f46600c06e20e47b663_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\42879db12b839f46600c06e20e47b663_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Program Files (x86)\31d1cbea\jusched.exe
      "C:\Program Files (x86)\31d1cbea\jusched.exe"
      2⤵
      • Executes dropped EXE
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\31d1cbea\31d1cbea
    Filesize

    17B

    MD5

    209aa6c14d66621f3aa1cee03a8bf5dc

    SHA1

    0f5bce2a29d3306586934b6d846a172078ee8e66

    SHA256

    57ef9e3c809cf3ca41782d4c7119c3ae7e43ccbb1c00d978b745677f14b82c2e

    SHA512

    8b9fb2bcc8e8785a48d3fe212f852c2f108ef2ab20e9e2a61e9bba5857002abe9111e42411bfc573e50c126031b7ef0433bddfa357de2ca0814f7d31157b9c63

    Download Submit

  • C:\Program Files (x86)\31d1cbea\jusched.exe
    Filesize

    282KB

    MD5

    3037de30891cfd1e11262be21506708a

    SHA1

    67feea4680dd7f2993f03186235e58778399546e

    SHA256

    3954a081bed2ded5c44ad0d325021a2e2e8907916b682fcbd805a387aaf201be

    SHA512

    7bcb55fe21a6bac14136d3006bab51ce906fb20553cc2c0cb6fc14e15b56df5a3765a4fde8e3bbef4e8e0747262b21fbd08b55dc5c1d5ada3271675ea6324779

    Download Submit

  • memory/1668-0-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1668-14-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1704-15-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download