Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 01:00

General

  • Target

    843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    843af912fff6ee44d7aaf4e9f625f509

  • SHA1

    7721563ba449f133f2592927d16c5a65da27ed19

  • SHA256

    c22c15b1fa25f120fe98f22241b86daf93addea99e92bdbb2945744b1f584d81

  • SHA512

    e1e4061e5ca54e60c9a4360f3c26aede755c0ed67e6bda998949b4eda894d14411cf65b5a2a08a0a607ce07f3df48639145ad37e3ad2c34de4636aa8efed3c65

  • SSDEEP

    6144:yNxJdew0qZfYp+cWZaKJ9VaJtPjtixbwSpMel:wJww0UfYpvi/TAPJixUSpM

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\windows\SysWOW64\net.exe
      "C:\windows\system32\net.exe" stop wscsvc
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop wscsvc
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1104
      2⤵
      • Program crash
      PID:3832
    • C:\Users\Admin\AppData\Local\Temp\frame2_276.exe
      "C:\Users\Admin\AppData\Local\Temp\frame2_276.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3140
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 312
        3⤵
        • Program crash
        PID:2820
    • C:\Users\Admin\AppData\Local\Temp\liar3.exe
      "C:\Users\Admin\AppData\Local\Temp\liar3.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4448
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2380 -ip 2380
    1⤵
      PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3140 -ip 3140
      1⤵
        PID:3232

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\frame2_276.exe

        Filesize

        164KB

        MD5

        52d914c8fa26ae793b012c68291719f9

        SHA1

        71974b58f8de726790b3eadea931a73bf7bad1cd

        SHA256

        b77333164092b48615c8826ac7694f47819f070f6cc793d62363844a8c49c20f

        SHA512

        9ac6801fce8f8b49e15302932dd0198c8c0bf0e5ce7f48899081420ad774781d66d10d341e1c845252179b0caad0568a16f7b83fe109a5165976a2e95d70342e

      • C:\Users\Admin\AppData\Local\Temp\liar3.exe

        Filesize

        57KB

        MD5

        c75a9e75f5dc84b3d4769a29759dabee

        SHA1

        a792aab93744e9ba579564955bac31a6cbfb6d2e

        SHA256

        07f1f51821713642e753d3477f30b15c09a43fde4846a7d79dca16afe9e06c99

        SHA512

        36ffa7d59e18d8655dd187488654a77dfbbbb3cbc32328711167afb3d871f319ce5b95cdcdb01a9aaecdf88001ff427a0a2e9f41481bb07070d2dde30614147c

      • memory/3140-8-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/3140-19-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

      • memory/4448-17-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB