Overview

overview

7

Static

static

3

949256b3eb...18.exe

windows7-x64

7

949256b3eb...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    949256b3ebba498f3347b5f1da8cd954

  • SHA1

    6a861a4f011f6da8fb56cc7af3f0f671dba013e9

  • SHA256

    8e19a48a663fcf8d3282c7fa4c99d5a1bfb6d22cec482d9e3cca4bfa0350f6cc

  • SHA512

    55740efb0ac4a3e6fcaf1449d5507d223d3e969401abb614db6daed874caea0b5811a5b7c0383c3af606f61ed51802c4e59ed34d8ca149583b7065db56aff763

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ:hDXWipuE+K3/SSHgxD

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Users\Admin\AppData\Local\Temp\DEM607A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM607A.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Users\Admin\AppData\Local\Temp\DEMEBC.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMEBC.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4880
          • C:\Users\Admin\AppData\Local\Temp\DEM649C.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM649C.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4548
            • C:\Users\Admin\AppData\Local\Temp\DEMBB76.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBB76.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2544
              • C:\Users\Admin\AppData\Local\Temp\DEM1280.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1280.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1664
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
    1⤵
      PID:4148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM1280.exe
      Filesize

      14KB

      MD5

      c0136ebb91268df8299de3e4649f49a2

      SHA1

      e283d73da1f78df87f61a99421ff74d33371fe1f

      SHA256

      9b4a4489b1e7dd82b0d130fe4dbe85ec9be4e5bd56295cae4656cd4ae8a504a5

      SHA512

      277421ddf5ec2d984a49009341d36858a1ec2b3addf5c068e26714915f4e7e7cd9883c91f661a621269a5890f8d56731f7282b48eaa7107d5493af81846b8ab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEM607A.exe
      Filesize

      14KB

      MD5

      3efafe0fc286fa71d5e49fe23e049d08

      SHA1

      a81ee927cef92082ea97d66e8b57ac9ee9152ab7

      SHA256

      1ec024ae163f8b1a6cc7d63bfe4a58f9f647b8b73627ed8d1344b485749f57d3

      SHA512

      1e1411692a89b3c775be570459d8dab39198d43a15d3f7529186d159b29b51d5f59c6684cd87c294318e90377c3a7fafad1b786bc73eb22a4616595d55e9e426

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEM649C.exe
      Filesize

      14KB

      MD5

      c2155a3b18b4278db7e3f31a400949d2

      SHA1

      3d2a8dda9239629dd5e73223999074fbd7ce7205

      SHA256

      15d83212580f9d360acfd92a7b8c4e05834aa4becc4ffab5054cccff08e8be0d

      SHA512

      0b1a8eb301131ef54d90b0ced6a86252428e9c995842e46ff9238dc6927a9b1b84915f3302d4ecae52eea7eb97d5f6c5a33ff5a5202ac07534f74a13a18a46b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe
      Filesize

      14KB

      MD5

      3e158d21ca9c73396f918c68c3b0afa3

      SHA1

      adc4380ae360461f6e17f1bd1e6c9e10ce0b4544

      SHA256

      263b2cc00c324afed5b784a4c226ccba5683522641ba1a491b000d0ea8458528

      SHA512

      6f58f2b9176e0b344bd7a81e36e60d9f5138950cc044853d4610d30732ba93b4f62ee81df7bc729b010d1d5068f767290a7122c6a2f4a46ea0d8fd540d6a75e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMBB76.exe
      Filesize

      14KB

      MD5

      4ff7eded9b04290ab1d752ea812af458

      SHA1

      d3af2c8c915454a9be4b1f2d20f5a5aed1dea3d3

      SHA256

      46596c8dec4dbc7215a1eb58b7780f3dc87b3f486eb639513b1ae123b223c5b3

      SHA512

      ae55ccb1227649a525ba6f6ff641f61b439fcc6d9ab97ccce73e7857792f622f2edb93b463f59bae27febaa82de28c4adf5f6ae147cb2cb6a9f5e5a6fd0ac505

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMEBC.exe
      Filesize

      14KB

      MD5

      debe5435dfb9aeef368ecf628a73ce03

      SHA1

      6bc87df8dc936dc3a53ced13551624724eeec34a

      SHA256

      431e05931954e35c9449464bbaf377c65e5fb687c8f09a13fed7f2569c886c5a

      SHA512

      474b7ea8afb9fdc29fa5711bff46921e8f9394ec6f69cf2c6ed019390c23f42a12b96115770fbfe0de9db80b663ee0ddc4a65ac04f91c8b33d4514d4abb1694e

      Download Submit