Overview

overview

10

Static

static

3

672d283bc8...18.exe

windows7-x64

10

672d283bc8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    672d283bc8caee292af483b10389143c_JaffaCakes118.exe

  • Size

    64KB

  • MD5

    672d283bc8caee292af483b10389143c

  • SHA1

    fada16eea394fa430f1f61d42d215407c443f0fa

  • SHA256

    8cff541190e9ca62091451c900a21b9a4fc92da38ce6984aafc417f92678f088

  • SHA512

    81707df42f033be361208862440d458ce1b71b50b58a3ae342b418a13658907447ebc82b842006e157c8865e744e63653f691ec4f186dcaa36bf953c8e99f767

  • SSDEEP

    768:b/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLB:bRsvcdcQjosnvnZ6LQ1EB

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\672d283bc8caee292af483b10389143c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\672d283bc8caee292af483b10389143c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    64KB

    MD5

    7b535a78bd86ff759697ec0aea727a81

    SHA1

    665e0a493bf05f98d4fd7846f30889066b99ea12

    SHA256

    76a50e3fd98e7172dd2bc6b9f07a6930f9c26a57e6ec9651663d2b181509c09b

    SHA512

    2a47541ce6032fe6db93feaabac529443ebf25d3e0cad6c4851cf6a658800dc52a5414a2e0fcea384340983b3281b633cc27eaf77bf8c2e37db1ef80ee7e86da

    Download Submit