Overview

overview

8

Static

static

3

44878b1ceb...18.exe

windows7-x64

1

44878b1ceb...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44878b1ceb3910b218423dab7eaae748_JaffaCakes118.exe

  • Size

    128KB

  • MD5

    44878b1ceb3910b218423dab7eaae748

  • SHA1

    00f762f28a0c95f7cfd2cdd25e12aff3490eddea

  • SHA256

    50fd743d51c51a9b7f11731a304d920072b7d1f4e451933d1b9d2ef36e88c0dd

  • SHA512

    70e398cbc2e0475af735e5fa56982d1bab6ec6ceee19bd2a1b81daccdd0435ff294342ba715e1bcbfb23c46c644f3d35f6c9b1477c5a6b5d706eeea5641c3d40

  • SSDEEP

    3072:3qUVPQ5dN+Ho4xiE6wAFtaQFBNWAT9IJXvbjwmEUv3:JVI9+HohE2aQFBUvbjw8

Score
8/10
persistence

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
    • C:\Users\Admin\AppData\Local\Temp\44878b1ceb3910b218423dab7eaae748_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\44878b1ceb3910b218423dab7eaae748_JaffaCakes118.exe"
      1⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Users\Admin\AppData\Local\Temp\0.exe
        C:\Users\Admin\AppData\Local\Temp\0.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Users\Admin\AppData\Local\Temp\a.EXE
          "C:\Users\Admin\AppData\Local\Temp\a.EXE"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.exe
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:2140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt
          3⤵
            PID:440
      • C:\Windows\SysWOW64\z.exe
        C:\Windows\SysWOW64\z.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4264

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        103KB

        MD5

        0c1501fc79a3d4aacc5e23e734f90576

        SHA1

        906dd77f15146e05ec7fe301b54de8b79a1ea903

        SHA256

        e183ef51bd9a58f7f16233291b309ce00effb7dcefbd9d3bf17d9f27035b3e6b

        SHA512

        cca67163cf755c5aa6f3ca88d2f1781219faf10fe625969b01d1f29e0c14d418e36e131c65640be771322d2a7664b87a432d64bca73363ca9feed177f1adf7f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.exe
        Filesize

        17KB

        MD5

        4a9b7155e044df26b3a4a868dd1234c5

        SHA1

        13fbea1b97b51a090ca04bf72689ad2069735cdc

        SHA256

        3dcef37e533f7f5ba38540214c4fe824b13b5ed0be2c2ea54ccc9be112cf08c0

        SHA512

        f65b45f2859fe0d4e2c0783ae192565c9d7acbaa344a1744a6ab1704d848b953a6e696e233b9e84804e2f4c2342aa551c7fc3d6f7d0cc4860b2ac11b22af5d6e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a.EXE
        Filesize

        76KB

        MD5

        a2174af04381d11dd1e19cafbbf281e5

        SHA1

        95d9245d97c59c1f6c408322d9f7298194d34a1e

        SHA256

        ed2158130aa5c40a5ce0805737e6cb8ef312388cd25fc30f03b8a1fbb98fe92e

        SHA512

        243802ef46b0b757882f0e691aa8fdec91c8ac9dee2fa82ce419d0dc268476122a870f95a796deb1453771154ef07e99a95b75bbd8c6ec98747e5a120c30bb84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt
        Filesize

        128B

        MD5

        d9c49686033024152395358ce66e9ac4

        SHA1

        13d99d1a84aa97d9701bfe43074421b9b46a7ca6

        SHA256

        bc88ca306af6562ace28f7760e3f70f0fee62b5f2427141d67951c421672f569

        SHA512

        c3cf4367f8e6ed05163b2b62d1ffd8594271cef574c6d98c12694832554de274cb484ce860bbe35cc5682d359a46fd0034ce1b07a25e041c6fb52d22ad2c84e9

        Download Submit

      • C:\Windows\SysWOW64\00026906.dll
        Filesize

        30KB

        MD5

        9caddeab7b181eed6211cd788aee31e4

        SHA1

        b8ad1559598ba3cbc334e3219f8eeeb60bf5acea

        SHA256

        0c7664066645e338a019dbaa0d7913e388e11c6380e81d667827b67eba26a938

        SHA512

        17cfb2d7f991d0935f13e2b288827a00f246eb8e00c2519c042844d6b2bf6ef100394b1d89813256948b9a0b0ade3bf0f37bf243cb0b037d27bf94ab39c0b5fc

        Download Submit

      • memory/412-0-0x0000000000400000-0x0000000000423016-memory.dmp

        Filesize

        140KB

        Download

      • memory/412-12-0x0000000000400000-0x0000000000423016-memory.dmp

        Filesize

        140KB

        Download

      • memory/2140-30-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2140-40-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4264-41-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4440-25-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download