Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 07:16

General

  • Target

    8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe

  • Size

    341KB

  • MD5

    8dcfdab5597153078156bcbf241b2da3

  • SHA1

    40700cdc0388bf79cd0e84360418019f96d67e3a

  • SHA256

    651ee7e5a335bd50c322c0f5c1fea2b818da6a6e1ba93545b1ccb60d06823669

  • SHA512

    1302afa15ad3e77102e20f7d7bcfbf9399bb03952b526f9133b8b0ae512736fbfa468e9bd3c5629cec70b537854eb456d3894a14a4736e310ffa411a5d008603

  • SSDEEP

    6144:CY94NO1xOzb8pDzCBPId9QQfHdlm5zVpGM7y2w0kzmDNwuiqUCuI3YfhHbHn:B9Ogxqb+6ITTvzQzzGM780yzrqd3a7H

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniKeyNT.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniKeyNT.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:636
      • C:\Windows\SysWOW64\svghost.exe
        C:\Windows\system32\svghost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2692

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniKeyNT.exe

          Filesize

          212KB

          MD5

          e2878cc39db71606f2f77186a0fd16de

          SHA1

          01caeb20b5b39f14ecd9fd9486d6ae70e188a877

          SHA256

          59d4e7d2160a63714a5a9dfe201b7eb4bda81cc13db3c7678e5e58661e1704c8

          SHA512

          30c4d53b2b727e2c6b4c4cedb180cdc17289841c8f0c99715cdb711cd9a149002ea08445ab3a9343f40c40be4a93c863b9e98f89c8348c7fe6b483b77f55fb3a

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

          Filesize

          996B

          MD5

          7d1fcfc93a76b433293ed2c0296445e4

          SHA1

          0f5834a7f6e21414e47099194d3115475caf1e94

          SHA256

          710a8a7100371059bba1af89ce1c932028ffda0cc28fb067f3cfe199e49a4da2

          SHA512

          3f4d88d359d87e34b3370e77f13c656d6b4459d330d83d30dc4a0f81704693ea76afe0e4d7b6aff980efee2504d5bd4609b2ccafc228d39347e7a7b5a5ce3e67

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

          Filesize

          4KB

          MD5

          9b4a0a5d74e2b803bc0a07914734a0ae

          SHA1

          4ea85e55a59a05e7f343bb37c3a3f4e05492316a

          SHA256

          7e12bf1eb36c6cc5c87f0dcf30b11b243173f47c142d19b42dfa4880326c8900

          SHA512

          662e7227dd81b7f3c59ccd0961bba1d8ba2d23ca42ea11f9421e668b579f99d65300f6adc7283d952ac579b05a52f3e0be0e691354464e7967d7c120e16462d2

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

          Filesize

          7KB

          MD5

          a455ca431e66975d886f1a8cfee8cb9f

          SHA1

          95868529973c77199b76ec593a686d9b324dee8b

          SHA256

          6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

          SHA512

          53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svghost.exe

          Filesize

          428KB

          MD5

          7788e7d2bf36d02c2366a96ae00a382a

          SHA1

          a003bcc0145724c9122c8bd796b14d1a788ba400

          SHA256

          8a0e3acfbd5c01c08838bf4d197e36d4932c2af29a0f302c1b2c33872956b851

          SHA512

          5ca731541e8d661b25024b70efec8f567bc0b9cf77de3ebb110899991bc1f64aca189a899a9d070ecc323b66b0c3e09d77671d10982b0717fc36329fefa3a30b

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svghosthk.dll

          Filesize

          24KB

          MD5

          9c62df1b2775adf5d266c8fdabe74693

          SHA1

          1e014e07f1adb6e33cf0e8e999c334abe38ab3d2

          SHA256

          5699265a4266bb9c5c99d0eb32ee48b1d1915a55f76e5073d602855599617cb8

          SHA512

          700261cd72811f1e0f632207decbfdd03410ef7ca3121f7daf06da326949c9869f485a935330eb5fddbe7df6feec0d7dc590b9288af08aa24c7eeb08ee02b313

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svghostwb.dll

          Filesize

          40KB

          MD5

          ac4573c526930a1b7f7a093b6e5f5ee2

          SHA1

          49be4355a2b938e82eecb5bda9387d15b983d79e

          SHA256

          7cca36c0510671ea4f4c10135c107e31250b0a55691d0fd7e7e67023859ef96c

          SHA512

          8865f7b1cfeb495fe2ea853ea6c602ced28227f64f7796f510d4933fe58f20c5eadefab682350ca7fed8e3ddc808bbee751cba57750d741efd397ddb8f3c90d0

        • C:\Windows\SysWOW64\pk.bin

          Filesize

          4KB

          MD5

          11b1d5e5b5a4fc5ad1d7dd59cfeb1b00

          SHA1

          e5e772a114af2c4316baed04eab084f28ac93435

          SHA256

          19b241940ac0e25ffedc49070d0ee8e0ef375ec50956dcbfacb4a975f578f404

          SHA512

          b654b1deac1a4db1b19a7c6d96fc800fd2b6c96f829413685f9d87726e9d50da8e020182978f8d5737d14d6a7737e4c4cd9ac7651ad1535f2007c06bab2f8550

        • C:\Windows\SysWOW64\svghost.exe

          Filesize

          428KB

          MD5

          bae0fb25bcf05a5da7fde8dce759ee0d

          SHA1

          bc74b07d14a63ce572755c70ceb796136d129e20

          SHA256

          b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

          SHA512

          74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

        • C:\Windows\SysWOW64\svghosthk.dll

          Filesize

          24KB

          MD5

          58129986fa29f6dacd99ab45f60bcb3c

          SHA1

          7f21995794a060fc8629e0d113cf568de14c509e

          SHA256

          525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

          SHA512

          62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

        • C:\Windows\SysWOW64\svghostwb.dll

          Filesize

          40KB

          MD5

          2e6016325548ab79e2d636640c6ec473

          SHA1

          586e2b84d46ef00e26c1686033def28e8a9995a5

          SHA256

          62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

          SHA512

          1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

        • memory/4168-48-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB