Overview

overview

7

Static

static

3

a4f51e8f02...18.exe

windows7-x64

3

a4f51e8f02...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4f51e8f02e982480720c983c63a7ba8_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    a4f51e8f02e982480720c983c63a7ba8

  • SHA1

    00d62c2bda0dc25d6ecb090a88305fa677f9b27a

  • SHA256

    413b991907e13512e266a2a484d258f4c9fa13dfa307902b6c2debe939ef2cd6

  • SHA512

    7ed93d5eb861f13cec6228ea8a494c29843530497bf1326cb52a8a79b6f923da39e7789c00655594d277cabcbde1c6798fc4de20b4b861afd8d1fb3725fe3e27

  • SSDEEP

    3072:uQiTe8t58J91PoTje+/O1iq/GvxYxKXvR7HFAkJK7PLPX81tUXXia1Pf0QcqB1Pa:uQigN4qCObCYxmRjF3EDvvCQXbHhN97G

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4f51e8f02e982480720c983c63a7ba8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4f51e8f02e982480720c983c63a7ba8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4324 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xKT974E.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 520
      2⤵
      • Program crash
      PID:2224
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2840 -ip 2840
    1⤵
      PID:1780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xKT974E.bat
      Filesize

      188B

      MD5

      e324d302097944bacf4be03fe9e500ec

      SHA1

      c009d80dcdea2e9a2f795caed9833c18fb312648

      SHA256

      782682fde0bad2c8b3bf7bf7157217f92d112f4bd5a0ffcb397a1c8e239c4bf8

      SHA512

      c77b3517459f1c39e82d01f5ccb1fbb5103b4d0e7c6d6ae6b323c07b5c5ff319d99232add35f2a260e3a64eb617b39e4c8a8da2d309ed0893ea83762726cf202

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xKT974E.tmp
      Filesize

      105KB

      MD5

      15ba84320dbb6d9a1c2df6e72c78ce5b

      SHA1

      4b467a9bfaa1859ab9ced1e40fd0acd865a89263

      SHA256

      d17604182081d76aed86d69a0d88fccedcc9515b14afd17479ff065f53946a02

      SHA512

      c388ae531afdba54fbf65bf7e8fcecbb016a2e661346bd67cb8fdb68b26746d4a08a4803e9ff39695741154555d5c6ae7cbcc209d8dc4f8720bd1966439afe67

      Download Submit