Overview

overview

7

Static

static

3

afa862db68...18.exe

windows7-x64

6

afa862db68...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afa862db683b6b7198665bf204d171e8_JaffaCakes118.exe

  • Size

    40KB

  • MD5

    afa862db683b6b7198665bf204d171e8

  • SHA1

    36cc5bca1da3be744c0a5fc765e76257dbdffdec

  • SHA256

    f91b63543a21e56c1143b69c34844e52bbae0bb34d535acbff2ebad5e3cac43e

  • SHA512

    a3ba3de94232bcf15bb044b38bb90b4c423a9e57518bbe5901677962dd67660c1e743173cdf340d6c4f6b340ae9db3222ef65c06d9580856d1e921d2af0f5dc4

  • SSDEEP

    768:6sltaNBlzZwDM/iScPFIJfstmbrzRyzBwbVRHkKk5PwIWC9gUSWD:7lteJwDM/iSbtumbrFyzBwbVREPljvSa

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa862db683b6b7198665bf204d171e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\afa862db683b6b7198665bf204d171e8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\delself.bat
    Filesize

    230B

    MD5

    d02680f67fb1a8122a80495f8c9a1d6c

    SHA1

    13189e2d33c2aff7d6f21083571e2daab81d5d83

    SHA256

    854730f3cc61e13e63ff99fb1a229bf7fc71facc17fe87a10abf63b3881e1001

    SHA512

    6e9729ecccc00013f562a5d862b20671060636d9d517a7e08a0313264b53edab2b5ba14aaa75c9e55052ecdffb71ccb5dee370d512a1a7e8f37f5854fee17ad6

    Download Submit

  • memory/1596-0-0x0000000000580000-0x0000000000589000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1596-6-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download