Overview

overview

10

Static

static

3

693b8d1541...18.exe

windows7-x64

10

693b8d1541...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 22:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    693b8d154125c6847bb23914eae6ba6b_JaffaCakes118.exe

  • Size

    204KB

  • MD5

    693b8d154125c6847bb23914eae6ba6b

  • SHA1

    d4d521974ab382452b4893e08b8b97091dfe532a

  • SHA256

    3effdcc45ed62fc83729c74b06f7968293e62d8153e122f3c551fc3cfb55fc6d

  • SHA512

    11caec3754e5c8f1f4a22894e29585f1c1404c942465fc91c9873bb0a2e60b0d7c2aa825521b6a8ff863227e4022fe0820ddeebfedb8aed9d011a699613403ab

  • SSDEEP

    1536:NfAiHwgicnislGltILYLU9KD02BBAdKJaPoYkwA7dIolQ:NfQgicdlGvILcU9KQ2BBAkJaPxsIolQ

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.byethost12.com
  • Port:
    21
  • Username:
    b12_8082975
  • Password:
    951753zx

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\693b8d154125c6847bb23914eae6ba6b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\693b8d154125c6847bb23914eae6ba6b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Program Files (x86)\b513f634\jusched.exe
      "C:\Program Files (x86)\b513f634\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\b513f634\b513f634
          Filesize

          17B

          MD5

          552bb86ed2797d3fd12ac0d273afaf75

          SHA1

          6e8633f9c24590779acbd3dd14c60f856320bc0a

          SHA256

          3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

          SHA512

          dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

          Download Submit

        • C:\Program Files (x86)\b513f634\jusched.exe
          Filesize

          204KB

          MD5

          bba1d2c59a669844c602558f0bddac4f

          SHA1

          400eb32ca6239d99ab8b4f4a6154d7bd3322cff2

          SHA256

          80cd83a96f1d46c4a0ca13ba9ac46c170276ccab8eb128187491cd3a627f2321

          SHA512

          fed5c6034dba20d43e462dd120d07d4b0cf8fdc617d130612dfdf549fb1d4a7af2ad932efe37a9ee9da993901bf10030b02ed55bc82553be3360da5f04e3ff95

          Download Submit