Overview

overview

8

Static

static

3

8d516b88a1...18.exe

windows7-x64

8

8d516b88a1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d516b88a13c5185eaf68d9d8e35f83e_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    8d516b88a13c5185eaf68d9d8e35f83e

  • SHA1

    02b2b0552a69831dfe4a89f32851bba64cb490ec

  • SHA256

    437c55b16ad3204d7b21bc391c10fd9e90863fa90f0e674bc2fb087d2c04efe8

  • SHA512

    f960462303cbaeb8238eeb6e29becd9526a309e07c200c0a149f1dab21daca6012cca140005b4721fbd7333367474ae20150b80ddc3a04ed02304ac061645bfe

  • SSDEEP

    1536:xIvPq/rk/lz555UEiUTwtUGaP7uKyYfN/ILqFHDN/c:xCP59z3yEpGazuEVJHJE

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 45 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d516b88a13c5185eaf68d9d8e35f83e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8d516b88a13c5185eaf68d9d8e35f83e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\mywcc080513.dll bgdll
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\downf.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\myhhcc080513.exe
          "C:\Windows\system32\myhhcc080513.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
              PID:2680
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3632
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1220
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1832
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4408
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:952
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3408
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4900
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2508
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4436
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2612
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3128
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2484
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4180
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1148
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:468
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4000
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2260
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1984
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3968
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1764
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1636
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3836
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4608
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3696
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1100
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1368
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3972
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4844
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4880
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1656
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:540
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1708
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2268
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:828
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2312
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1984
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2360
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2212
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1636
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3496
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4256
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2556
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4368
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2828
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\myhhcc080513.exe
      Filesize

      76KB

      MD5

      8d516b88a13c5185eaf68d9d8e35f83e

      SHA1

      02b2b0552a69831dfe4a89f32851bba64cb490ec

      SHA256

      437c55b16ad3204d7b21bc391c10fd9e90863fa90f0e674bc2fb087d2c04efe8

      SHA512

      f960462303cbaeb8238eeb6e29becd9526a309e07c200c0a149f1dab21daca6012cca140005b4721fbd7333367474ae20150b80ddc3a04ed02304ac061645bfe

      Download Submit

    • C:\Windows\SysWOW64\mywcc080513.dll
      Filesize

      27KB

      MD5

      06a451ccae696f33f2317b2fa2a4ee5c

      SHA1

      6da33d5542306527f6bd64e6834f85ea96a8ad03

      SHA256

      93bb9f7b92671bedcc25422312dcaee96977272e4eaddaa0165afcdeef5c777c

      SHA512

      fdb097cb1b188ab465edcdb50172cb612946db1adb4c8e70d422df5832ece984d7a2e3de0354d9e39d283510901efdb8782028573880812545a11bf4262f3094

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      149B

      MD5

      f50b1895e8b022f8246df22155144aaf

      SHA1

      f6e9318a16a16138f54e25ca5d4af0d7b67fcf7d

      SHA256

      ee8ff07eab4a4b5ea967762194c737caf7618d91cdffa99f35d3e2cd89025b90

      SHA512

      3a8c4cd72ac431f084fac134f5dd82bf996eed17402c661e69d9f23b48080f579334b4e6e41c91a482d54adc82c7918921e0b51a72d20dc54b5dcfd005ac2ee9

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      189B

      MD5

      8ac1a254adab3e167db79c7c8deeac14

      SHA1

      0b4dea33744726c43f4832b95a12ada1f0fa820a

      SHA256

      e581673347ebc4fb3b51c05280f7a79bff1d8e265cc6c0ccb9e91bb7c07a91bd

      SHA512

      820e137bd6949e74da2fa8703fef339002fd794a3cfde02e6465229b3c751e134376c03c6ad31350f45589f6ee3fd91691b6072aaed4ced6a0aa672a7fbdb92c

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      99B

      MD5

      ebf7ce997e709bb69f901386c616bdb1

      SHA1

      10b6ca9153d5fbd48b86e309afdc34488700bdb2

      SHA256

      04e86a236099a5d6b53e4dbfa34499f0fffac95f7943f3a4238d900fe301d069

      SHA512

      9a9160f73c68fa8da4ab7d7e2f8d882570f4f774d930bde2f08fdc1b30e5a015b15de1d03e5203ae6bb8d5c029fbe53ed41fc3cefd71b91332f9b131c93000a8

      Download Submit

    • C:\downf.bat
      Filesize

      50B

      MD5

      21e1cd421aebee2c6d8629f28a3d5e3c

      SHA1

      50927f5e5b69513d53f1c479c0b713f5d5e134e9

      SHA256

      3414a087b7c86799a143faf9c5342a54573a89e51de6803f915bb8a17a46d775

      SHA512

      d1e05f18d19a8322680ad2b3bafab4ba4fe4c0e11d3b2df1224c6d150203f0c9fc7f86491fc523de1720de6f0506de9743e0107ff17746a3c4dc916ba841036a

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      233B

      MD5

      beb4349a4c174b14db0633c6297146b9

      SHA1

      25c8bea127d2b152600bcf30ed17f342dc1ceec5

      SHA256

      6c15c423c14c6c6be09c2fa753b9092234fa9aba746c799966de6156b9db30f0

      SHA512

      b6c539c7ff0ddff4c343eaa82658ac81d36323e60ccee807f812efae31f3d3879570043143d72b8832b6cea1bd19102d6d9e4fca7257c16d7a1a7a2dca9221a9

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      137B

      MD5

      69fbdb93c32ac26f2440381eb78ca8ca

      SHA1

      6a6c2bfb0b6737abfe0d126554b0a6c9fe6f99a0

      SHA256

      656685bf5598ede2ac2c48dca16f41cdd871bcd695ff571ed6da925e9ead8bc1

      SHA512

      0197ec63c5416fd86254059f06545b4650d27fd1e28fd1e955a83f2f1c11cf05427a11ef30ec94382204f17fc46e087c07e011f1f5bbd5c91cd2b6c8dea9fcb1

      Download Submit

    • memory/2880-28-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2880-36-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download