Overview

overview

7

Static

static

3

7743e85e4a...18.exe

windows7-x64

7

7743e85e4a...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    11s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240729-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 06:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    7743e85e4aab9c595053d4a605887cfe_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    7743e85e4aab9c595053d4a605887cfe

  • SHA1

    91c318d180aef4abae035cf5d11705d307caf4d2

  • SHA256

    92fceb949c5b1c34aa19377b103439c44a8f61ea4db43173883262ddcd71a5b8

  • SHA512

    4a1112def84d26c4f42b40d46256f2b9bba2e60ace6f7da2e73f38234b539ed9901c8856bc70556a1fa741c44aede6088cb771a9a7eb3c0f2f2949da5c0cb82e

  • SSDEEP

    768:y3J3kyPnf7zO23G43LLc/2vYPif9Ia3gn+hpJqOcsMVKFGARS+igNz:y3J3ka3/XEfif9PJT1F7FG2S+igNz

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3092 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1600
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweAC2E.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe_JaffaCakes118.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe_JaffaCakes118.bat
    Filesize

    267B

    MD5

    15993c9de2639c5ad35ad2ad8c5c3c89

    SHA1

    92b469277716e37c3a80ef30ffde3c2091c80f8e

    SHA256

    fdac54364ff44e44ac29db5b767d3e9007ac7c3dee0d76925ac9530dba5749af

    SHA512

    ce1615435ce77567dab9c536b9c8eb35e64f87948ad9e24de2d3ca8e68a1a4df4a8d937d669975ce6d9b4da597055377a55551a755657708594915ce4a3dcbc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tweAC2E.bat
    Filesize

    188B

    MD5

    463647cd0d9c14116f4263db87aebc38

    SHA1

    d98bdb326ed601ca607645be86e89a8cfabdb491

    SHA256

    6a96f8e8e46f197245df51ea0ec5cd69aa14a05261bba96f73ea800a916416f7

    SHA512

    64b6fb80277aedd41e267963ed886ee0c126718dfdc9e3ab74f4f3e5d31054d409654f438ca8e2bdf0cf7fae165a8397a3d03942386c9244e364b4269b785daf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tweAC2E.tmp
    Filesize

    32KB

    MD5

    7ac9acb5469776c2f03d943037d47298

    SHA1

    8f8838c3da0df25c95c6fb50205c427d2afc7543

    SHA256

    16a9514b509206e55689a8bd6a1edae52987efc8459a021d5cec3b5c54946b15

    SHA512

    51b168d05103e9439e920e6b1c9b5b817e3e7255b7d18b89d88140311fa9313240037f1449c908c512b5c0b105581895b31a6182f60ced2d6ad396fb67502d3e

    Download Submit