Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-08-2024 08:05
General
-
Target
ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
-
Size
189KB
-
MD5
ae71fe0158db6330ecadb5224b8568dd
-
SHA1
b1c632e8ff6c92018ffcace281d83c4b1244b93b
-
SHA256
facb89f13f7e78ab1a420d1b4a29d4be0ae88f5e0e7470bcd84a51e35bf5155f
-
SHA512
1056a6a96caf3152504855813f8deefbbb65dffd8575ab2c4de6b5265aa757299be8230be14477ef4344bdd7f0a4514146c2450b212536e4cd61277dbe686fa8
-
SSDEEP
3072:vCNmpyGyeln0Ao6QDfSwmF0GIb/Osi6csQjpCJCQ/B5JB8dQiJ96HjtOCY:ompyG1lnMfSIDO56cs8szvYQ5HZHY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\YHF.exe"C:\Windows\YHF.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5fd7a47dcf7edf939e8f0b4a9057db2d9
SHA1a9846f4a78bace980496c7f80d9456d03a238653
SHA256d91990345f872e4e8b9cd47c3254511fda7590fffe20f477c9bb6a51560e87fa
SHA5121a851a8e9c273c35e74355a210e9c06ace922ec5b82eba484dbf37e14acc69c8195024d619b4e169c1994955293d276c3e435a4e85b4251067ee02d2f28ab8c4
-
Filesize
2KB
MD5eb35798a03e468ef7dc1f63db7cba23b
SHA153dc977f7fc28eeafaaa1d3f6cf073ee8c191771
SHA25630af6ec34e6a3f894b0f7e3c49fbd5bda1e3a731e8df1ebae718cc326f52fecf
SHA5125de6c0db3979cbcdbf8960d6cb855822aef6f7d64ce987c4413fa67d563c25dfdf7e89db08f83bdfd3f171d9cc4097dcbdd267c3f46f4913c5d349d5309d41ad
-
Filesize
4KB
MD5dfdd94862f63c5877c8584da7711eefe
SHA11e781fa8148428ea3dfea45777cb503377fea025
SHA256aec2f6c8428cc936900a67518cdf31079de9535987fa0c2f2f1ced16e35bacec
SHA51251fc83dc11883fb1027e9d4f53c3dccc8884c37a8c3a2e4a260f49bfedb28449f116cd5cd13bfea27337a5dbc7e88423263523afd9009cbdf30babf87c6daa53
-
Filesize
274KB
MD5ff5d248fc602b8d6fb11a7aa8cf27391
SHA1aeb204e35ab8c8dc9554608508c24faaae89fb13
SHA256b1a10aa572408b3e17b8bdc77f63efde6dc04637f31175d07f461cfa911e172b
SHA51237316c6c0a220726fb81654037ac790d7b1ff84f44713149b9153371cf46e53bcf6623de257b0c7a6e2736061c89256ede387a8a41ff6db1ae7c4ec3c56cb897
-
Filesize
4KB
-
Filesize
4KB