Overview

overview

10

Static

static

3

6f35066082...18.exe

windows7-x64

10

6f35066082...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 10:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6f3506608239d343b34e9ba11da64300_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    6f3506608239d343b34e9ba11da64300

  • SHA1

    3513cc8829c23ca97ea4c73e8502a6b991c86ca6

  • SHA256

    58f1a6967cc6b7999c6864863d993a19d0283ded6b056679bbfb525755ec1da7

  • SHA512

    0ff008f2d01161efd14b86a0b39124257b53513cb60cf5a0307bedff159c90f9c44e229d96b193e50416d650afd88129a60f48ff042b5e9c81bc9fac6fb61d44

  • SSDEEP

    1536:NGtG/82NTzwsMGAc4ohrPXo+73Rez8b0SyuNIjnZq:/wburPX7CuCnY

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f3506608239d343b34e9ba11da64300_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f3506608239d343b34e9ba11da64300_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Users\Admin\tpguy.exe
      "C:\Users\Admin\tpguy.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4184

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\tpguy.exe
          Filesize

          100KB

          MD5

          c235427d37da72b31d3cce9fa9f2efc5

          SHA1

          8ab5c666b31093a9e081bbbd9ca320d79106e855

          SHA256

          62eaf810f67062cd6710454817716a0f5018312615d794caac7dc979d7a3f3be

          SHA512

          355545ddde9a422b14879cc89134ba68da4840b49b21e7617a4ae820671dc5edb69c83c8bd18f267b35106f68ccac39b6fd286490e138d4660fc2d0bb71da75b

          Download Submit