Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-08-2024 00:14
General
-
Target
ad289c0c15a9a9e0ecc11c031b93e2ea_JaffaCakes118.exe
-
Size
424KB
-
MD5
ad289c0c15a9a9e0ecc11c031b93e2ea
-
SHA1
5f1fce45c5328eb85237101e99cc7e3d03d1bc5a
-
SHA256
b31aaa49b124a29400a245ad38c1eed68ea044a03437b3f9731206e67a8d762c
-
SHA512
b1b54c63bed81fe9d3e17af33fd57363335c70b41baa4708e09557e4aa7d72e51998c72e03ec1a1e07e8e6f79f6db32f70ca56a57233c20283cc6c81f1dc3fcb
-
SSDEEP
6144:Qx3WAtrRnaRmyqhr0/UGDZeLTK6ISM9xaJbZ:oWAtdnXyqNcpDZw6n
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 45 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad289c0c15a9a9e0ecc11c031b93e2ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad289c0c15a9a9e0ecc11c031b93e2ea_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1