Overview

overview

10

Static

static

3

846f8d936f...18.exe

windows7-x64

10

846f8d936f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    846f8d936f608d3000ded4691a81c0f3

  • SHA1

    d6e42d2c39c8e1f2d898a2c5679e13faf6597e50

  • SHA256

    f1a16f6850f31cc8f6715bb641ce3c002b25554f92b5f83f16ef3a4726712d1b

  • SHA512

    80fb5c5635e22c38b768d23f64ac404cf015b0a52ff2f8543c0eb5a803121b7c2981ac71feb6fc5fb13eb89c4d33d74b84b1f99df7eb166ee49e0d92d3950290

  • SSDEEP

    6144:tU13dwqsNwemAB0EqxF6snji81RUinKchhyZS36:edQQJsAK

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\vfbuz.exe
      "C:\Users\Admin\vfbuz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vfbuz.exe
    Filesize

    240KB

    MD5

    6841befda012843c380a1875bcdef71b

    SHA1

    191abc6d1cd83a68521e2bf17615542ff95bf62c

    SHA256

    9ab9c8185b7fae454d7485910260f7c5f01cde8616b0ae4bd2516c14929d2d8a

    SHA512

    4a6ecc3a8555569cc6f23288cc8b99816a41692aad2f70b6fca7c3071373e33be19b3ac2fb91c1a847ec9814d69e187881b3b4eebb058f141942dbd10c6a29a0

    Download Submit

  • memory/3240-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3240-37-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3460-34-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3460-38-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download