Overview

overview

10

Static

static

3

6228000c24...18.exe

windows7-x64

10

6228000c24...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe

  • Size

    209KB

  • MD5

    6228000c2488d7dd89970ecd6d0b9ff8

  • SHA1

    4b027947798ae6a5cc4b777cf3917c1ba0a3c330

  • SHA256

    ac4a3e618c040ac02d28fdef462bc0d1fcf78467f622ca6fb7c49f23a5124733

  • SHA512

    bb057f0598db346fa86d55cdcae6b64320c4dd286f54de6d6566198b7a89b74b236ef93deb2af749538a14fd94fe9856e94be7ac850515800fcebe6a5fdd57f3

  • SSDEEP

    1536:kwQBHvoYUWjzlZLXf4QJpUT0mSBAgapetc8o/Kdgo5QGuG3g7/:kBlvaWjzrLXQQJKgmSBAVpet2Ago5lu

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Program Files (x86)\f5ae0956\jusched.exe
      "C:\Program Files (x86)\f5ae0956\jusched.exe"
      2⤵
      • Executes dropped EXE
      PID:3804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\f5ae0956\f5ae0956
    Filesize

    17B

    MD5

    2130fee70fc3f7c10d5279f96f98ad1e

    SHA1

    4307cef89171fa230048ea22546802198d888780

    SHA256

    3506e286f6223ccaf1665d4e457b712abeb527266ff28327ce60e37b9fbeb404

    SHA512

    67fa1bb31028ff3ba125f184207499b9205f58c9eef2ac948f5824475515c396b3d5f93e207cb96deffe1aedb286b1f935cc689c5d84449e51c517da1cffe2e5

    Download Submit

  • C:\Program Files (x86)\f5ae0956\jusched.exe
    Filesize

    209KB

    MD5

    ec125bf06745232e3bc3f5a8849e732a

    SHA1

    83736d012d6c7a7d062fcfa72a2d182be8c9ca17

    SHA256

    84f6634cec605dd3e7db40eae3cc0fd899e15595e63f2f5f53686ddec1d6fab8

    SHA512

    6db7924c7005afc3cddc1c8f5f23d6f8ad855bb06c4bf2a71bd8efbd0bec64d6103490860f9a31c5b5b2733162b5b4c1b449f282660c093d029175d1822ead5c

    Download Submit