Overview

overview

7

Static

static

3

5ec947de80...18.exe

windows7-x64

7

5ec947de80...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ec947de80e1f54ce7f0e36e97185710_JaffaCakes118.exe

  • Size

    2.4MB

  • MD5

    5ec947de80e1f54ce7f0e36e97185710

  • SHA1

    489b3a403e552e91d5a19b90db79e2a0dbc5c2b3

  • SHA256

    4d0bed8556e3bb72d1d58eabb0d913635e0dd834df9e39d5d76e211da717e3ec

  • SHA512

    58ad6b550261a0aff30a3ce3c8f30d5c14843d7c278e1dae58fdccd23b33f0ab49972763580ee7f064d704a8034c009adaa42d99e06ce0ade7b14c995697ba79

  • SSDEEP

    49152:BRQ4vLFY5AZCgDR89fMByapkN4gLTsnBzodIPaQN0RsnQs96mTCd8dNDS0b:02Y5AZpbkW2T+uIiG0gN9bCd+x5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ec947de80e1f54ce7f0e36e97185710_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ec947de80e1f54ce7f0e36e97185710_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\StpA8F2_TMP.EXE
      "C:\Users\Admin\AppData\Local\Temp\StpA8F2_TMP.EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\spyzookasetup.msi"
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3440
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:64

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\StpA8F2_TMP.EXE
    Filesize

    2.3MB

    MD5

    f3b40eafb791701999d53c1bdb0af884

    SHA1

    2ed4c663798281506197eb0ae9a7a149a0a1cdff

    SHA256

    94dd864e69046179880296e61c9952d94a60f2b242c2860acfe8e3d47c66f083

    SHA512

    e543c6e4a50e7b766734566cba68c4547222fea0038dad1778e99661713ccb1de4b0b158af338cc0bd122006afa53e1543f3525af5e77a1c0bc66c5d98ede78a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\spyzookasetup.msi
    Filesize

    178KB

    MD5

    79f84c6efc767bd543d8baf37cbbb530

    SHA1

    85c783b7edf15d7b03acf84dd45b6a8f580993ec

    SHA256

    7711c6698e4761d7b1acc9de95095b4a02a388a7b5f08f2a61203c877938cae7

    SHA512

    12016db4baf41bdb8b76d71aac6e9996a5f371c5c47911e11a78812922c6d08087d504303961bff84ca3e0abc1bf5be107329f81b73303589a1f6be01059d556

    Download Submit