Overview

overview

10

Static

static

10

6fe4ac1776...18.exe

windows7-x64

7

6fe4ac1776...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe

  • Size

    492KB

  • MD5

    6fe4ac17766e2878f6b57320cfafcbe4

  • SHA1

    20f4ebae589f61726d5ad7ed29c87f222b3f4298

  • SHA256

    6ec7b2b08274592b5830ae39c0e6cae025367d455a7ee5407daea259f89b374f

  • SHA512

    17219231eb829d970b8bb6088fcf64e44460b3aa294cd6cfc5819672d45df41e399bd2e8f758ef5ab79f26a5235a2f00bff78d88ccfa2d450cd8aafb0ca6f9ba

  • SSDEEP

    6144:awcaAn70pz2YDY/XgvZX4NeCPwcaAn70pz2YJY/XgvZX4NeCIZvLKvu:aZn70l3SI4NhPZn70l3UI4NhIJLKvu

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\original.exe
      "C:\Users\Admin\AppData\Local\Temp\original.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 508
        3⤵
        • Program crash
        PID:2100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3508 -ip 3508
    1⤵
      PID:1444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\original.exe
      Filesize

      439KB

      MD5

      940d08d63a521c34993b809b52c4596a

      SHA1

      ee37869129ea4d5b63ebe0a3c8bedc201489961c

      SHA256

      21c135e31a3e3b649d991c9e3e17f56fab8e27f2c03756048cbd747c72e996f2

      SHA512

      f10a1df05fbb268efc17509dd83fc4ad0c7ab407b18bffef169a8e64abf481223676d07dd0d9371e22c3bb1c5b074acabb0c338a0e41ae85a542d12c33d2bf50

      Download Submit

    • memory/944-0-0x00007FFB65B75000-0x00007FFB65B76000-memory.dmp

      Filesize

      4KB

      Download

    • memory/944-1-0x00007FFB658C0000-0x00007FFB66261000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/944-3-0x00007FFB658C0000-0x00007FFB66261000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/944-14-0x00007FFB658C0000-0x00007FFB66261000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3508-12-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download