Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 02:00

General

  • Target

    65b5feab63a5caaed4fb9a6e8f6d3cf1_JaffaCakes118.exe

  • Size

    260KB

  • MD5

    65b5feab63a5caaed4fb9a6e8f6d3cf1

  • SHA1

    b7ee676f81afb11712c04907e4970535be628b5f

  • SHA256

    a0b88f496b91fca5a6f9d5fc8118a90f5ee108dc9e58e80e7ab6a199722588dc

  • SHA512

    89889b12987ca3ebcd0c161b0a6628b07bdaae1ad7937055ebfa1c16a871ed6855bbce089ad65baf942949cb7866166598f6b10a9d0e25a215416e7b65fbdbd3

  • SSDEEP

    3072:xw9eiaxuIiE64j9a45Kf/4xLMfKdRR7yH3TFavCPQjIYQHCd8boxQVV/V3xYR:mTI/6qKWmH3TFCCoNLx+V

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b5feab63a5caaed4fb9a6e8f6d3cf1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65b5feab63a5caaed4fb9a6e8f6d3cf1_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\baogu.exe
      "C:\Users\Admin\baogu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\baogu.exe

    Filesize

    260KB

    MD5

    e980cc7c8f9674ccbd94b0c11438767d

    SHA1

    7a36944fabb5995385fdbca97c8a6d49d1aa7138

    SHA256

    e6327eff26d7b72b599c02bdeb6dc7541a80b9d4e09482ae4a1a4815ad0fb017

    SHA512

    ef748afc4a43a7bc31296620feb817408e4484e6afd49fdd4992240e5bf612b85e7d06e5e9f17b8de098516cab686c3c7d334a6941884b4010a6035ab809f14d