Overview

overview

7

Static

static

3

5c3933693b...18.exe

windows7-x64

7

5c3933693b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c3933693bb1f8e91a45288d8f37c66d_JaffaCakes118.exe

  • Size

    4.1MB

  • MD5

    5c3933693bb1f8e91a45288d8f37c66d

  • SHA1

    bf724a7e8abedd20d0cacc3907d9127aa8ff964d

  • SHA256

    60fe3c6c3b037ec554e2aabf4072837a4b2b908828cc30c528469f89d9be7a00

  • SHA512

    b4973f5079727ba54c8a1c42a17801034a8530d6e380640ccebcb8a702299ea9cb73ed2268ffa8e2a88398f9ef7426f7c8834ec692cc193001859200170a0b02

  • SSDEEP

    24576:OHXnCvcFNbUPZj9DtYs3eDA+h7RF9Lc48:0p/byB8R4b

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c3933693bb1f8e91a45288d8f37c66d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5c3933693bb1f8e91a45288d8f37c66d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Roaming\dfds.exe
      "C:\Users\Admin\AppData\Roaming\dfds.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dfds.exe
    Filesize

    1000KB

    MD5

    bf03edd0432c980e79920e1b4ab3dcd7

    SHA1

    a05d07904fd7b07ffc9572d58468c6457ab48a91

    SHA256

    dbb9cba62865ffd36ed5b8872ee451e5f8eb4a0c2382b4730ed98087346fb2dc

    SHA512

    2c153e9c5f90e01561f92e95253f404ffb8a54f004a135fbadaae50964af686cf3c419526ecf50040f2ce5560cfbb73c323b10461a5f8e4a37a373d3a1460ebd

    Download Submit

  • memory/1660-0-0x00007FFD60BC5000-0x00007FFD60BC6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-2-0x000000001B700000-0x000000001B7A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1660-1-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1660-3-0x000000001BC80000-0x000000001C14E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1660-4-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1660-19-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1988-18-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1988-20-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1988-21-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1988-22-0x00007FFD60910000-0x00007FFD612B1000-memory.dmp

    Filesize

    9.6MB

    Download