Overview

overview

7

Static

static

3

8c17952e2f...18.exe

windows7-x64

7

8c17952e2f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c17952e2f45fd866063b76d298aaa47_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    8c17952e2f45fd866063b76d298aaa47

  • SHA1

    2cbfddee5766f4846541662eda0189c3e7c99764

  • SHA256

    62db603bede85c0ee03a8978ebe00648b5b3a57e54583304d74b66a383fc9e0c

  • SHA512

    324081666b8581d16d8b3cfd9d0c503c98094c7086ac2ddeb3d5d72cac2d6d9fb5fbb1d4ce2d72b490e99764b558327546e33348229de6131c6cde58e83a4a9c

  • SSDEEP

    24576:qr5DBCssPSW8QHpVyzlCDJRlnei29C5yU2mY5YtylkPnBsxL9AAMyQmV/8hQzDA/:q7wSHzlmlneiPAYcl8B330V/2mixtWK

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c17952e2f45fd866063b76d298aaa47_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c17952e2f45fd866063b76d298aaa47_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Users\Admin\AppData\Local\isass.exe
        "C:\Users\Admin\AppData\Local\isass.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4404
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.exe
    Filesize

    1.5MB

    MD5

    7905782b19842e3b1a84a9d1f7bd7189

    SHA1

    642b3b96a5219bca2115790415600a9c9d56c72d

    SHA256

    9de88816bfeaa59da3e2e8a703c38fa7d51afe5f2a5b9f0c1c619e26d5d721f8

    SHA512

    674096ca4a84be6a4bf0f4a3c51cf4100db165c0e2d1051c14a6e6707111fab40c252ce276b64b206070c4d473964686a610b2da0d8672d2eab5ef0ae0a74f1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.bat
    Filesize

    143B

    MD5

    330d9a81f808b287b999c76c1d932ed6

    SHA1

    95146f6f084c39395e2fae892af065e85fddb8d1

    SHA256

    4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

    SHA512

    4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

    Download Submit

  • C:\Users\Admin\AppData\Local\isass.exe
    Filesize

    540KB

    MD5

    bdfd0629a0af77719b00970ffa5d5146

    SHA1

    e063bcc4d303a4677fcd1280f124a99ae04ffdab

    SHA256

    1043d67d9303502c3b8de7912d825388d1177d841b3dc8ec7ae94002c1005e98

    SHA512

    7bb605ca3e6689a98d65cc46e3afb7d6f21ac052b9d5ac8f6339f930ffa8ce4dc7c44914171037a2cbbb101e073a2baef3ad2f1b3e6e043c004e3f8ed23a9e77

    Download Submit

  • C:\Users\Admin\AppData\Local\ntldr.dll
    Filesize

    186KB

    MD5

    3b3f633865e78b077471b52a8e08c7ae

    SHA1

    49867697fe9f6dd2025ec2081e0c8606257e008a

    SHA256

    76230baac105470e82f2fdedc13865d9f46c7349ffcc66e239b95893ea433fd4

    SHA512

    77b9d6eaf413ecb24d552fbe7985ed6d277123eee1b4294db0dc52d5bc396de9c445dc53254f964dfe0ade21e2c54cba17ac6e3008c6935387fbd3e8f1442a1b

    Download Submit

  • memory/880-11-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/880-21-0x0000000000400000-0x0000000000586000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3736-0-0x0000000002390000-0x0000000002391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3736-9-0x0000000000400000-0x00000000005FD000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5052-23-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-26-0x0000000002210000-0x0000000002242000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5052-31-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/5052-32-0x0000000002210000-0x0000000002242000-memory.dmp

    Filesize

    200KB

    Download