Analysis

  • max time kernel
    141s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 17:13

General

  • Target

    640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe

  • Size

    8KB

  • MD5

    640f35ee88c5b979a7a78814c067ff0a

  • SHA1

    0e30f5c203afcaf6753390bfe303e9a050138e62

  • SHA256

    3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456

  • SHA512

    d06451d2756527892f951f82176327174b912d751871581af8728ec47a0d239a78bba07748808ff9047a21d8642f3662cf43dc7580425b0d9c85c2dd069cf621

  • SSDEEP

    192:9bElpZHUjkkdPBGz1ul1NWJFaNJhLkwcud2DH9VwGfct8uH:9bEpRakWPBGZul1OaNJawcudoD7UWQ

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat" "
        3⤵
        • Checks computer location settings
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3380
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
          4⤵
            PID:3616
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
            4⤵
              PID:3412
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
            3⤵
              PID:2972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe

          Filesize

          10KB

          MD5

          667b775061f480e6922d654e64f483d4

          SHA1

          02521f0db9dfc6755869db30d0368cf3b1f6c78d

          SHA256

          dc4c07ba975b890305d7b767c0e2467c36dfedaec6f14c2ec0653e8f2ee49fa9

          SHA512

          2743e7e434cf54ba049e8c7358c86103ec39e0d1dbce4025359bd002811be2a8d0b5538b5d110a28710814582f7a4ea31759d52faaa0e379d7a3f1bd3e315f58

        • C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat

          Filesize

          1KB

          MD5

          0bfac90c179b2b0eb14241768b091e03

          SHA1

          c23382a5c5e6d11ad41fd6819ba2093d3c9db099

          SHA256

          c4b4faaf650530b390850356f1af0fca6359357ac48b40f46ca0ac436325f04d

          SHA512

          ed3f750da2d95925b96a623431dd9d40e2cb9229093cd3b008cd56fc3e64741b8d58123af026f9b0a7058947f612dc52b4b9654f470fd9223b6c8df8b3ba5c64

        • C:\Users\Admin\AppData\Local\Temp\a.vbs

          Filesize

          53B

          MD5

          ca0f2398bd2826a29c3f75bddde54891

          SHA1

          3d58403d49335187a332cc8de1f7db0e1f4a4937

          SHA256

          ffbfa4f17d477d877a5fbe259b4b427677006ff3a28df0d7ed6729dd7fea7922

          SHA512

          3910e7af69b8bb0c464b99e6c987b2612f809e08963fd74441dc86d362d671769a4c5e87e41dd64d7de89e92ce1ca1ccf0cb458036e1094d0dd8f7a609039b87

        • C:\Users\Admin\AppData\Local\Temp\a.vbs

          Filesize

          60B

          MD5

          46fad2ab21d05db03903ec01dfadd348

          SHA1

          80a904f97f2b8dafe26a5ded341dc3c8895563e4

          SHA256

          d1808d53224d50d790878bf1b3504fa57c153082c16c8481c7fd05c878923d00

          SHA512

          7fd1bbf4d858b59ecd39bee4756201e81df2abfe108d4edd54110e180c736067644f25ae5b428afa2cf3779e9ced2ea86cedf2ee068994348357464cfe14c63a

        • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

          Filesize

          158B

          MD5

          2f3c92a8a657dd4d67e08feffeb2981c

          SHA1

          4d7ebf5618e9d6bf95ebaf7ee3f1c279fca9ffa1

          SHA256

          a08b791ec12fbeaeb711f2b50c495ab7251103852bbe1178cf9af6b7271a3900

          SHA512

          e159bc1db27e673058b547dbb2988132b402da6cbb0e09a804591eddc10509335c2edbf74e708500bb83eb7afb642e9a281f345f73b74daa94e0f6cdb8fd0623

        • memory/1108-8-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

        • memory/1108-29-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

        • memory/2828-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2828-12-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB