Overview

overview

8

Static

static

3

a4908a78bd...18.exe

windows7-x64

8

a4908a78bd...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4908a78bde63d1f84ae1db3f526e607_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    a4908a78bde63d1f84ae1db3f526e607

  • SHA1

    4e15dc12814e96fb247f283b01d3bde647da9dee

  • SHA256

    094de74404d9bb751babb3ce8893e41bdc95507abc10c7a41e0486fd759bb16d

  • SHA512

    e2b686c45e56e1a821a696a831d96410ecaf2f3cadefdd2f44bed04ceff712b08946dcc7dcce0136b09a0aa74e08130b503f8deb81b7216cc549a42e96d72483

  • SSDEEP

    3072:d7uvSwwaYbV4Fzk3RskJmSyozSZLTrmZquL71ID:ovNwaYJ+k+a5aLuZZn1I

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4908a78bde63d1f84ae1db3f526e607_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4908a78bde63d1f84ae1db3f526e607_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_080922a.dll tan16d
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\myls3tecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\system\sgcxcxxaspf080922.exe
          "C:\Windows\system\sgcxcxxaspf080922.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4344
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\inf\svchoct.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\System\sgcxcxxaspf080922.exe
    Filesize

    484KB

    MD5

    a4908a78bde63d1f84ae1db3f526e607

    SHA1

    4e15dc12814e96fb247f283b01d3bde647da9dee

    SHA256

    094de74404d9bb751babb3ce8893e41bdc95507abc10c7a41e0486fd759bb16d

    SHA512

    e2b686c45e56e1a821a696a831d96410ecaf2f3cadefdd2f44bed04ceff712b08946dcc7dcce0136b09a0aa74e08130b503f8deb81b7216cc549a42e96d72483

    Download Submit

  • C:\Windows\dcbdcatys32_080922a.dll
    Filesize

    232KB

    MD5

    f47933cf3995f9a15fdb2c5f54638d11

    SHA1

    0223f3890f249cf71bd4e86f03c887a8c673f873

    SHA256

    eaf61cf9748a7a2ac6f02ef2b004fc046f06c5d4d94103c21d5e0eb654e95203

    SHA512

    45d09c8a8d82a91079608aa750f4c0e3260d2c27375ad1c9fcdd9cc9bf4475c6e6e17077ceae05f28852a048252b077f25c125a4ac381a115114c37a3f739634

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    112B

    MD5

    b1089c96254dba40cc99cc5baf8cbce7

    SHA1

    a3d005914b5d6a7262de2ee56358c66bca0ff787

    SHA256

    46f75b40f60f299b44d785f80089281df3bbfc48c73e4c9f52b8c9073db7417a

    SHA512

    8748acf56a467e1c5c841e4d126b915c616951024b53014e0e0f976b415ae49466c986fc71cf8886da7e030c7ea35bb7ad8f838f0ac5af184123ba077cba11cc

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    462B

    MD5

    6291f8ef09a8eddeb27e76dc6a76428f

    SHA1

    3f4c6a4c6056d53fb7bbd0c42b3fc198ab57671c

    SHA256

    4b0e8241d523cd3b2e2e51a524d42b823bb6805286502ebce977c0d8ae11e491

    SHA512

    a8477952c46a0b4b94411c7f34f133eb187121bcf1ebe1032c6953dbac4fb3c246d6cd28b2ffb44c9f0602117555c908ae35077689c97b62737511c3d17205c2

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    378B

    MD5

    825d149fda12d2dd128ff64ff1cb2a37

    SHA1

    e4c655ac56d1ebe36ef646a0cb24d99787d90d86

    SHA256

    ff62ada9a1c49d54aa8b34d7c0f6b71de5766d3a6fdb1b6dc812ff00a362b1e9

    SHA512

    9d78046fd691c262b7e5b801831281759985e5f185bc9a712d4152072e0abc5a4439077ce9c3fdf29eb5622fbc82fa82db07256f030e6db004fee74fb850e36f

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    420B

    MD5

    4922f175b4a59b206314dbc304b56798

    SHA1

    243df9beba302a4b064abf545846c70c52f54aee

    SHA256

    0275d8a86614adecc47586811b948958945906b73258219dc3dd0bc0a515efdf

    SHA512

    567d6321abd5bc787673d4d6b0b76695e48d95f05b5d6f97a3c7191f8564909f65fc946033a0dc68ef9188f3a6194b0d5dd65ba5804ce22a048223364e76fe66

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    426B

    MD5

    7d4fbe3b118864428fdffd875e1df4ed

    SHA1

    82e6f3dbffb861eaadbf537598a94146c19669ed

    SHA256

    a03732a62c3cab2da5ca7f1d2c8226b43f0bcdb6ebd9b5de3a605a8e58ffa192

    SHA512

    521c9be11adb8a1d347930b598d9bac0364f7c3c9e01486cd0c866d9ad02655446081bc03da36b9178cad03570d66913225969805d1db1823306cacf9b135008

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    459B

    MD5

    cabc732b07d13407a2e05e67a2205b45

    SHA1

    34f6ed9109d0a5fc4fad56c78de7a4b490d90671

    SHA256

    608499c9c8f98b0b61ac5dc3615aad9ef3272fb0b0cf03865471b409c597bef8

    SHA512

    1545b11a11d037c273b4ae70bf736161c1d93f45fc1a6540091bcdda2a3f3be6168b7d9f7e5cc614e987aa695395ccc6ceeeead60fbd6fa8180efd26ac4da440

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    486B

    MD5

    6dd54c7f3c2ec197f2b477a91091ef53

    SHA1

    56d38219462a28e240047711c4e54174893c8639

    SHA256

    af8d1ec7e21b8806f8b692efb7b96064c73524fb42ec0609521b45175168be47

    SHA512

    e2e7c008b5eb462dd48572080314560c3aa137e8fef16606db8555d4882e16d02b02ef1aaa0e2edacaed0c2a5d6ec28d1ac3c1e83525dfcf9dd3e170efcd5745

    Download Submit

  • C:\Windows\wftadfi16_080922a.dll
    Filesize

    35KB

    MD5

    193b60c07cd27c3ba7a20a540f01c4b7

    SHA1

    b1fe59690e2ba5bfe22e57b2cb12a92a844c260b

    SHA256

    328fe423812f371f01f97f58aeac99bf8fa96e6804efcab03bb402cb3f34013a

    SHA512

    b3808af9758b978bdf2ac4df2f317d1deadd6c1ecb31c2c0cea028615778441ace367a44a5be207934a93a35d742877f593c00116e63c1fbcc4fd8f599fffd07

    Download Submit

  • \??\c:\myls3tecj.bat
    Filesize

    53B

    MD5

    47df77fab6045ec684ca921e72dce72e

    SHA1

    6e5775a96434c88ec1aa6cf32ed4d35430452b3c

    SHA256

    32d087de0d9887edef87152846ededf9cf14de5e901865d4320f417df082614f

    SHA512

    9b05021f1b4cbf27830548b0d6c512e9317b75d017c21f42711db9c5f17b29a158a1cd50c4dd405d497a567ae1fdf14df0602b12c88be527a2ff9a1dfbae78b9

    Download Submit

  • memory/1180-71-0x0000000000A20000-0x0000000000A2F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1180-58-0x0000000000A20000-0x0000000000A2F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1180-85-0x0000000000A20000-0x0000000000A2F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1180-115-0x0000000000A20000-0x0000000000A2F000-memory.dmp

    Filesize

    60KB

    Download