Overview

overview

7

Static

static

3

8df8552d0f...18.exe

windows7-x64

7

8df8552d0f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8df8552d0f77d090a19ee05fb17e368e_JaffaCakes118.exe

  • Size

    230KB

  • MD5

    8df8552d0f77d090a19ee05fb17e368e

  • SHA1

    08d0b95d78f866893f30ebc2bef56fbf182d9f16

  • SHA256

    f47c5bfb90584d464f83672bb5470d20e4b7c1d7823b3f665435e02b9c596b63

  • SHA512

    9a4e59662c74de8bf481e43188c14b49906aa1fe5448f8e5fe06e54d27e5be4f05e1b4ed352759b875351418b6e34e2b6d835f58ed6a4aa743ec073824f4c7f2

  • SSDEEP

    6144:Yh8MNbajbGuylF+cPpD1oH7fjJZMsV5RB1OYQgfOx:YeM8jbLyX+cPvkTjJZfjRqmO

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8df8552d0f77d090a19ee05fb17e368e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8df8552d0f77d090a19ee05fb17e368e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\poi.exe
      "C:\Users\Admin\AppData\Local\Temp\poi.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Users\Admin\AppData\Local\Temp\poi.exe
        StubPath
        3⤵
        • Executes dropped EXE
        PID:4940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 460
          4⤵
          • Program crash
          PID:4980
    • C:\Users\Admin\AppData\Local\Temp\msconfig32.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\msconfig32.exe.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4940 -ip 4940
    1⤵
      PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\msconfig32.exe.exe
      Filesize

      155KB

      MD5

      ad59602d298affadc00ee2ec7c7e2c03

      SHA1

      9a855142acf8d07faca764f39916d28d588d1c74

      SHA256

      6573ecafc71290aa7f72ec072012308c9aacf6c11c622ce92f965fbdd1518ff0

      SHA512

      26ccd44724251439a228463c6d7976f10c225bd9f9ec3dd110e2282470b7bd4f1b474a9da6880b8a932e9df0ec6e5a22868e865f7c8c799f4ecd3320981f9bc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\poi.exe
      Filesize

      10KB

      MD5

      7d90c38091fc328d5d8ef51cc8499157

      SHA1

      28f67a6db7515172b62e40655418b06f4c6e1946

      SHA256

      fe950e65f49aaba52e1a59286cf39c8e03808b73da76f59650c013f9e8b9234a

      SHA512

      21a6f16a97086d21ae629b8dde3356c3faf5957a8af5c9fe0abf6c6704a32cf29ee2f9ab1650dd24549db3575b766ae085b1bb9dce2d7cd5e1f8820e394bb5f3

      Download Submit

    • memory/636-13-0x0000000000400000-0x0000000000402800-memory.dmp

      Filesize

      10KB

      Download

    • memory/652-25-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-26-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-27-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-30-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-31-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-33-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-34-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/652-35-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3904-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3904-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3904-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3904-29-0x0000000074CA0000-0x0000000075251000-memory.dmp

      Filesize

      5.7MB

      Download