Overview

overview

7

Static

static

3

976863bcd6...18.exe

windows7-x64

7

976863bcd6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    976863bcd6b104058317f2cd0c541175_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    976863bcd6b104058317f2cd0c541175

  • SHA1

    a42d1a2549254d002126f40ac4f1c433b7b2b632

  • SHA256

    34492a40e7ae782f3537034ca80093d58acc08e59b1212e1a619d64130838fea

  • SHA512

    65b52066beb044e7d412c2c477e4d231dd9741c7e24aa15e93841da73e0fe77bf64babe7aa993ffec473549c5c49317f1ba7f406bc4312a01f1b020af6191d0d

  • SSDEEP

    24576:fIBmQI35Afl3uZWGgmQI35AfaeWmQe35CRiXZmBoImQe35CRiXZmt6Z:fIQQv3zGDQkSQCXZmBGQCXZmtk

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\976863bcd6b104058317f2cd0c541175_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\976863bcd6b104058317f2cd0c541175_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Inject.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Inject.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zapuskatr.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe -f -im 4game_zapuskatr.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3552
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe -f -im pb.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2484
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosts.exe
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1504
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\injec.exe
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\injec.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data_Base2.bin
    Filesize

    4KB

    MD5

    cb9afa40895795d20178f944ad8ba64b

    SHA1

    2963b6cff857a97c28bdd319b5c71490545c823c

    SHA256

    7c7681704a41fac3a24045e6999de3b4ca58865300f1f9ede6ee928c0178c318

    SHA512

    f8917efc2399ce1dffe1f91af5ae89677a61097f0724d6448ecff9d962943b0db4013386ab5f955c054e441e9ef601d4298d213e7f8b33b50aea69b0da9cf000

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Inject.exe
    Filesize

    627KB

    MD5

    54fb6e5684f3d5d8e419a15b26c3b4e3

    SHA1

    5c2deb2053780f225e9d2aa838db51a470c4f38b

    SHA256

    14affe66e2f930665d217368672b31268210d5baede1eddc4b1a5a1f9abe3d1a

    SHA512

    a6a137dfe9b09b57aaf7fd3418ed368583e5740cc6bfb133b40d0cf445480a980e06f0c1bcf254a27af99cd58761408179b72f213b58ed965c988f708a7dad6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zapuskatr.cmd
    Filesize

    436B

    MD5

    14eb1bc6e32bb3823dcb0ab91fdae60f

    SHA1

    772b6d55e121c5fab1f658aec2b0f23f44f16f85

    SHA256

    8c26c046d5e77abcfd17ef81d3db29a52643cf9f2e7cce956bece9eb3ff29886

    SHA512

    ad1b139f879a138a8a912edc8808aeba6d15c94f4c708d659dc65ae229b456968842b743832e8dfc372e91bb5ae95ae3798d3f060a75ad9fbfd47d4f235e86d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\injec.exe
    Filesize

    638KB

    MD5

    42f257c2c7a18d6a2b2eef781ad81e1b

    SHA1

    019bc8adc15cd5e27c5c9dd9d66e6a633c113446

    SHA256

    08bbddcb35f1ba4226fd65c83ab26653ca119a806b630578e8cb9b2558422c4f

    SHA512

    838a7ea8025d5f14ca416a947c66bf8ff3367a2c2533a45aed7ca7999f4391e994989e4378ff25286918c6a6e5ab31ec7cf4a6140c9846df543d4fbf90506ac2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosts.exe
    Filesize

    654KB

    MD5

    77aea15f21a158aa83e967663b563b05

    SHA1

    2d81c7488cf74316370ac7ad738a993710f8c2f0

    SHA256

    8de2bf9834d7dec72888728fb2d2f8f55c095e191022edadfa9237694791e9f0

    SHA512

    15b0f875d9ee667fd9cc22bb1e422f96f890e67012cf5a9c51e7dd6ff52f1c24533ee06dc259ede04e4428b9cb8a5db2efae846dcb6673436fae27244d891d13

    Download Submit

  • memory/2036-82-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download