Overview

overview

10

Static

static

3

aa4fdf7cc2...18.exe

windows7-x64

10

aa4fdf7cc2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 08:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa4fdf7cc213100a9c89a4de4f4e36db_JaffaCakes118.exe

  • Size

    34KB

  • MD5

    aa4fdf7cc213100a9c89a4de4f4e36db

  • SHA1

    06b03d29bbc58c57f7959c65bb22d2638beeeca8

  • SHA256

    70b2b84696b0ba8e1ef5cc5d01484c4ca9468664c2930613a565774aa72ded66

  • SHA512

    dabd2a4af9815788f15597ad67c428672c88b3daaffcf0d58278c547e5a17f3b202a7bcaed1ef0eabf5ecc8616a9244c44e686b1a9a5ee0e8e4b9821e963588d

  • SSDEEP

    768:mzQYScGrIubHuYtvdxwYHw5FAe2Q8ncwx9R:gQTIubHy5wQ8z

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa4fdf7cc213100a9c89a4de4f4e36db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aa4fdf7cc213100a9c89a4de4f4e36db_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Program Files (x86)\f7004d98\jusched.exe
      "C:\Program Files (x86)\f7004d98\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1500
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
    1⤵
      PID:4840

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\f7004d98\f7004d98
            Filesize

            13B

            MD5

            f253efe302d32ab264a76e0ce65be769

            SHA1

            768685ca582abd0af2fbb57ca37752aa98c9372b

            SHA256

            49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

            SHA512

            1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

            Download Submit

          • C:\Program Files (x86)\f7004d98\jusched.exe
            Filesize

            34KB

            MD5

            d16bcfa4aece08ae44e2f80041f5ad41

            SHA1

            bf57ed54112232443295188524724bbdfce4ddb4

            SHA256

            e806dfd0b5072d86db2660b7d2f64320a5d8a2688fa63b13a4a334db1260b60a

            SHA512

            064b54f43fe701ab0b44c20c780bd73a3a31a5b418628b36be009553f6bdec3781384f66043ee01539535dfc425dedaea3c21ab05f361460170a73b0465e8abc

            Download Submit