Overview

overview

7

Static

static

3

a5bdc27dc5...18.exe

windows7-x64

7

a5bdc27dc5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5bdc27dc51088ae49dc94165aa8581f_JaffaCakes118.exe

  • Size

    109KB

  • MD5

    a5bdc27dc51088ae49dc94165aa8581f

  • SHA1

    86fca6b72af0969bce8ff778e44deee8d09fb428

  • SHA256

    89baec371b6357aada5e7bbe57611b10d5e7252b88ac555c466a38872cfca0f2

  • SHA512

    d185d47aded309ed9c9e63d2c0740483f25121dedc1b31a5ac3ca6edde58624b07897a612089414d7006e847986a12cbc18e39dee6e299117f297c65bbb3fd59

  • SSDEEP

    1536:b1XPUAHhKNkbxCJ3kwrBPposqARi/eDBZ6WKGllfdnuj1MKqZr4WBZQZKVHSNl:bJokilpLq0HDBZ6WKGlJOKKqO6uKVHa

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5bdc27dc51088ae49dc94165aa8581f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a5bdc27dc51088ae49dc94165aa8581f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\tt.exe
      "C:\Windows\tt.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tt.exe
    Filesize

    103KB

    MD5

    b2fb9700051f2fcacaa49e659f4d6fba

    SHA1

    112e8c95fedfa1c409e1315ff746f1a4a0790019

    SHA256

    6be4e1e7f3a60e2c7c290e6b7a94339eba4e4454ac725dacb3c6b9b5d092c673

    SHA512

    6aaae4a9f438adc26ce07c65b810debd6ff1308149c9f1c5379e493aa0633f7a485ac073650374418a89cfc7ff7cda6ed30b33075a3d4aaabafdec4f8dab2a9e

    Download Submit

  • memory/1360-10-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1360-12-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4948-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/4948-11-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download