Overview

overview

7

Static

static

3

691b71c28e...18.exe

windows7-x64

3

691b71c28e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    691b71c28e484195c2e38c8e25cad8a4_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    691b71c28e484195c2e38c8e25cad8a4

  • SHA1

    f007228f0eab8cbbd37ddb6a87c8e590571f8628

  • SHA256

    c9dc343e0853088eadadbf2df5e9aba66eefbc28f10d8ee56976a7752a6fec04

  • SHA512

    dc5fca58b245593684363602718e8b5c518095ae0c5ef9906a80cd1e6cc79bb32a638d78673b4ce2db0bd85d6e51adc06221494cdce05501cd74b8b67d123b6a

  • SSDEEP

    3072:als5MBn5DcXoaawqLYYvToWuMy4TcC6nt:EBjdwTWuz4TcCM

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\691b71c28e484195c2e38c8e25cad8a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\691b71c28e484195c2e38c8e25cad8a4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1452 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fqVA49C.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 432
      2⤵
      • Program crash
      PID:3360
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4640 -ip 4640
    1⤵
      PID:848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QOWVUGSW\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fqVA49C.bat
      Filesize

      188B

      MD5

      1e0effb977e09ad60cedf4c580df4f11

      SHA1

      2c459e26c01ef86b46c74d6692c95d92a8d7f3f8

      SHA256

      d950e3ef26cfa015d3187cdf3ee2a02b4f105d2797f07cfe1979abf22f86fd03

      SHA512

      2840d1a0cd4e3b50100b342bc1271ff2f831866b669352c7a68ed33159bc8ea492f71e797d177f19d6d9c0ef68224e448fc935aead2e05599d993d3a36ba20aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fqVA49C.tmp
      Filesize

      105KB

      MD5

      70f7515f4c22af10bf20eb6274027567

      SHA1

      fee472fe408f6f906045ae65d4754b77be8f584b

      SHA256

      9356e5d976fb0452829d3e62b5456ce8e847ea0cc9bad4399b9ada08557fb5d7

      SHA512

      2fe8cd27494cea143e5aff613a06c0a786080a3595010730086d88f75da43456167e3bc7f21786d3aecffb8b1cd0b695bf050af74343b7bb90ec8c51fcb4049e

      Download Submit