Overview

overview

7

Static

static

3

46ff96f5af...18.exe

windows7-x64

7

46ff96f5af...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46ff96f5af8ef17d5cc8e5a79dbfb40b_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    46ff96f5af8ef17d5cc8e5a79dbfb40b

  • SHA1

    239957f49617bb4de5c41bc20babb0638855b35d

  • SHA256

    e0af586859b8acb210706bf8e31c7f06e83505ef96f3a0b696a97e38a032ed0f

  • SHA512

    82b8fc1085b154df5ee97dfb69f619a7db0f2fdfd2ca0e6c6f078c3a337eed0d0930c8978042bcfa316fc1c5f24fd00de0ee6f328fc58a2932fadb7bcc4b46f9

  • SSDEEP

    384:0edQZBSx4hO2fCRHDXEutzk0cSnCpacoqj771KZx5jI0/JGO+AxTr6+I9PfYUDrV:Pd6xnC9DUSzkPSCVzrx0/JGOJxqLoI4+

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46ff96f5af8ef17d5cc8e5a79dbfb40b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46ff96f5af8ef17d5cc8e5a79dbfb40b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "c:\support338945a0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe Darkbomb.dll FunctionStart
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\46FF96~1.EXE >> NUL
      2⤵
        PID:2804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Darkbomb.dll
      Filesize

      36KB

      MD5

      7de66c5ded87e8c7e46b1bc9ee2c5db2

      SHA1

      ea9db0f6c616732e88b60e2339dea25ae3b4d109

      SHA256

      5318c5930266539909563b14eec3b9a4ab8996bbdae808a94b51261546aeebf5

      SHA512

      4c56dc2501244cd2b562aef18344fca823a72ac92e2619d8ead0a6714b159fdc14125018c63072c12a956c0501eef9b4e51563e4f4f01768805950b32aa31c9f

      Download Submit

    • \??\c:\support338945a0.bat
      Filesize

      39B

      MD5

      d6ad254c75599ac9ceb317d261cfe354

      SHA1

      f9c9bae9bdba0ea9d3c486e13cb554ec9b010909

      SHA256

      3142a7859b079df4a8fd3daf7a9d0057dd2c18ca302c69a6f9526ee543c9a655

      SHA512

      b05820cab51f66b5b8213359f0a0ddde125e3eab5fdfd196393dc805fc02fd9e72bdb1704cc0718131fc55a8b3d7cd7e54f53fa8140a187b508c443f6d85b473

      Download Submit

    • memory/2976-0-0x0000000000400000-0x000000000040E200-memory.dmp

      Filesize

      56KB

      Download

    • memory/2976-10-0x0000000000400000-0x000000000040E200-memory.dmp

      Filesize

      56KB

      Download