Overview

overview

7

Static

static

3

a178083977...18.exe

windows7-x64

7

a178083977...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a178083977255560a5e3b886e4f79ce7_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    a178083977255560a5e3b886e4f79ce7

  • SHA1

    9c59fec6a7d2559db0566ef5adc93740dcc67bad

  • SHA256

    9da45c1414fde84e01fbe21e66ab691b1201aaa24c72f8575f5dec3f0fbd23b8

  • SHA512

    1136f7e5bd5f062fe1249db4d8bddab33f848bb3c901bcde1cdf33f0f7761f104156e5799c64b4e65cf2235d404b1114a246faac5a811b992b222387f80942af

  • SSDEEP

    49152:Dtq2uoGFcKkmE7BRCp4u3e3S5y1Shi35U0thsf:Dduo4cKkmISZe371SgJB4

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a178083977255560a5e3b886e4f79ce7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a178083977255560a5e3b886e4f79ce7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe" -e -p7yit6hq0c534ln6
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Users\Admin\AppData\Roaming\Protector-pare.exe
          C:\Users\Admin\AppData\Roaming\Protector-pare.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1940
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\4EPU79~1.EXE" >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe
    Filesize

    2.0MB

    MD5

    8c03b4dc54244014229009d42e7c0455

    SHA1

    8df39a19d4601daf554143815b6afa3286904a7d

    SHA256

    012a675100f650f93436b0c226652b335db207b9ba04331d9d0513c975bb9010

    SHA512

    bbd9573f14411dd23689e103e2ba75bfc89b481e540450ba47fd1550b088177efedd5918713ebab9776b89a57a82f28ba9784785fcc22fc86e180aeb70724d08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe
    Filesize

    1.9MB

    MD5

    bfd99e635288e5e0f46f0e7aa150300c

    SHA1

    17b31bc6d8a5ca2c065fbaf3e1c755cf68ffd37b

    SHA256

    969006837a0889f09181454819b7a27d89ca11330b628d3faf56a3e46022fd01

    SHA512

    c806add828107536f463d3103be1907ddbe653a25fbf0e785dc69c2e9a52b76927a2d3efa6d509b85b97fa9710a3156273ee5c914f3365c5e854c6073da704cc

    Download Submit

  • memory/1940-27-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1940-35-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4224-18-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4224-33-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download