Overview

overview

8

Static

static

3

8aed4fef70...18.exe

windows7-x64

8

8aed4fef70...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe

  • Size

    26KB

  • MD5

    8aed4fef70cc9f4842c3a011c85981c7

  • SHA1

    902f4a051f9336335c63a1072084979f646e23b1

  • SHA256

    34b61cbe71dff76ba1cb1a081bfc97aa46f0b2c00ce4cbee92f4b01c9a57e146

  • SHA512

    e3efea9b8fb00599ae1edaca47127bf8087df8269c421819f58b2db636bcc65c54b59a896b9d5ef485f4669b9951328f1e78a57aa46f1e29766695117a2fafa2

  • SSDEEP

    768:rUgIKI0QN2HKiJFIDJqI82oRZaP4XmhjSFY:QZK/HLJ0qZaP9jSC

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\wicheck080513.dll" myjkl
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\mycjjk.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\wicheck080513.exe
          "C:\Windows\system32\wicheck080513.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3744
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\jkDe.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3308
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1848
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2212
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1720
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1328
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\jkDe.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wicheck080513.dll
    Filesize

    28KB

    MD5

    4d67db9ff8e2714f603ad0437f30d10e

    SHA1

    9c7a039b8c6b8b4067d6e049221c9f97d3a62a18

    SHA256

    6bf84b1db64d46cfb9f11450560153c0b4a7297d7aa29c1948754e8c51eb22a4

    SHA512

    9c21bf97c60cf399e81bc3477bb36732611e7ca1631bfec47bd842dd46a6b2743c5d5683a1d6dd100841e28ecac45802ce6dd93d7579eb27663c9e04709baa6a

    Download Submit

  • C:\Windows\SysWOW64\wicheck080513.exe
    Filesize

    26KB

    MD5

    8aed4fef70cc9f4842c3a011c85981c7

    SHA1

    902f4a051f9336335c63a1072084979f646e23b1

    SHA256

    34b61cbe71dff76ba1cb1a081bfc97aa46f0b2c00ce4cbee92f4b01c9a57e146

    SHA512

    e3efea9b8fb00599ae1edaca47127bf8087df8269c421819f58b2db636bcc65c54b59a896b9d5ef485f4669b9951328f1e78a57aa46f1e29766695117a2fafa2

    Download Submit

  • C:\Windows\checkcj.ini
    Filesize

    139B

    MD5

    586098dd2c11cb63f915ac3208e56f09

    SHA1

    8ca2b8c8df35a8c817d450652e4cde5b4c1fb25c

    SHA256

    abc712cb0c4aa774a10dc737c97b6c384d9c3359409e7a5f43c9d79cb8ce2750

    SHA512

    55853a033d81d7ac119cb9b3574fe46418f1d146c12a4aaae3190e2c7ed41d7386f0f437162df9fe54142b1ab502ea81bcffec6102c6672acedd682caafa6f14

    Download Submit

  • C:\Windows\checkcj.ini
    Filesize

    120B

    MD5

    12d69be3832672e1b282b5b316e6cfac

    SHA1

    1d0a2106773d192973bcc73673e865fc605e938a

    SHA256

    5ae1be0c74f92765b45193415cd0dfa089f07d29edea0298f46414f6024e9ce1

    SHA512

    a4c308cbea79a699c21505fae873a93d07a1ddcc38da8270deb8fc8f9755936fa20a34c3475b7f194827072a4bae98f1c5bfd3df34f3c688c5e46cef8eaef5a6

    Download Submit

  • C:\jkDe.bat
    Filesize

    233B

    MD5

    8da98cb92caffd889faa22d567ac56b6

    SHA1

    2e0352090d42c0fb46a4115e4f892ee6830b1050

    SHA256

    9eba4ba7689f364315a64d1982ef6e90d5d52410b3cb5ae6efeed19711997e68

    SHA512

    4e9c6474821f7c6abb2b5ad210944e1a79cc65014600275424b787cff42b2aef2207ec1a53e48c58e9747774f8e9031fcd58ec6f7a34034705ed6736c9fb4da7

    Download Submit

  • C:\jkDe.bat
    Filesize

    139B

    MD5

    086f4ed328a1c7dda89fafbaa31aee95

    SHA1

    7c44ded50be4c880bb11d875ed1a04c3424164f2

    SHA256

    17ffeb861fcfdc1e93a93604e044e9e9ad2779588c268b352321c267014b7bc5

    SHA512

    095d721b743da82f9f7797f23d1666e7c3ed1ce4664b3621f3d132c1185fdd35f311723f277693203dfbdeed3f27f7caeb842c5f2f8fa3cc2a5798323eb9602c

    Download Submit

  • C:\mycjjk.bat
    Filesize

    51B

    MD5

    356488514f5ce5218bf13d343f4f0f5b

    SHA1

    5e4569c804470be74a4523172c5a9291a9950c84

    SHA256

    e6ae4bdf56f355ef9d34951e9da3681b584248a5f83c2e74c852ef9a9ce2e411

    SHA512

    4803dfb661c63e66699efe6abbc149f5f1c706cd9b430df1f7d8e5558ae55d35be7cb37ce27807b1e25100536d401cd8f48dffdb333cb2968f31d0eb1f6346a8

    Download Submit

  • memory/1460-16-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1460-22-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1460-37-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download