Overview

overview

7

Static

static

3

b0a0004982...18.exe

windows7-x64

7

b0a0004982...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 20:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    b0a00049823fd8f4ad42f7cf91953b18

  • SHA1

    80d1e4f23ca2ce8d1fc1afecc815e6972807b835

  • SHA256

    07d0e3f84c38d4405030d28783b962a5152a72f7f6ad252fff36049c676581c9

  • SHA512

    0e7cb9f6d6709f6074d3dfcfb0e60da848a7180f8721d4c4313e8348472a2f22d1a5b4195dc157e27d6129ee328f3b9d9844bb7e654cd153dd5289e905733083

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HTyC:hDXWipuE+K3/SSHgxmKEzyC

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Local\Temp\DEM6BF4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6BF4.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\DEMC3E7.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMC3E7.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4416
          • C:\Users\Admin\AppData\Local\Temp\DEM70D1.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM70D1.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4368
            • C:\Users\Admin\AppData\Local\Temp\DEMC76D.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC76D.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Users\Admin\AppData\Local\Temp\DEM1E86.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1E86.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2528
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
    1⤵
      PID:4688

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe
            Filesize

            15KB

            MD5

            1daba41c764b95a2ed8c6b4c38ea3a3f

            SHA1

            3d1e7a7131952448157e86ce6f1cffc71ce430af

            SHA256

            a127db6e15ab96503b423e7068dc31da25a40f77663e1be955e33276ba634a9a

            SHA512

            52f55665398bc68eacf4946d01c83206df879e777706f2fe00a9913f14cdb373f54dc0b45f503516b31b4081fdf79f49e847a7ba88a518211e345081b45e588e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DEM1E86.exe
            Filesize

            15KB

            MD5

            992a57e971cc77c5dcaec264df38c56c

            SHA1

            76b1924e441eb8fcaee8a5939099fdb3994c6937

            SHA256

            fbdb113d5da7a47efb5721f5f3c8bd109ff8345adb6267216cf84e0f65028e28

            SHA512

            4984df57f569018ec7216a250866e179871bd7dc93afc62e42ac0d252c9ffd9c5955439aa4a343d7cafacef188699e16b610d03049dcd870ba49ae7e25409ebe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DEM6BF4.exe
            Filesize

            15KB

            MD5

            c91ff2f4960704eaa6949de5686a1eb2

            SHA1

            a7dc9caa2a33428e77dec301bd3a0aa7611982bd

            SHA256

            4bac3967b8253d726875a8e765050185784fd67f739175aff64810d8396b9cd4

            SHA512

            af2432c4092fc4a7cc48d3542ad48b96eada796d0b315fef3f69c2200ad40971893e31b0cc7ad7fb46f6c977b4636fbeb314b6c4477b6d2cde250e913349e593

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DEM70D1.exe
            Filesize

            15KB

            MD5

            1b6f93a4b0c140c9dce7173655537478

            SHA1

            b1ca3747f7f8dad8493de59b98854c8d699cf928

            SHA256

            68f7ad9a740bd82049aa2ba3a7361140eb9dc80e41f6022f5bea28ae4c748890

            SHA512

            03b30cb75168af417e4ba0c2e3d7d787cd1f461752d501654d46cece74dce5a58c8fc36cd4292558362497c22648081d963c992213634fc4309d72f68586a711

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DEMC3E7.exe
            Filesize

            15KB

            MD5

            53a545a47eb30f8ce638264a6b52c36c

            SHA1

            600ae9c0739cd869bf27c62491d1282481df818c

            SHA256

            20e8428f71652ce7a99eaf9797d19cac82db0907892c8779b28a40a446748431

            SHA512

            b1daa0511c7fcaa4d20651655f084c7a8d34b4047475aea0614905fe47844893f262ed5a0c3a7db11ae63cb852aa959627297d854dd357d0c6d8c3210964c8d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DEMC76D.exe
            Filesize

            15KB

            MD5

            669e5eff4d3c8c6fe759a00990bc49cf

            SHA1

            b2f177c250bc43fb2284a8d48de58cc075a18af4

            SHA256

            09c3f03e78415bce350f140021fd19cd89f9935e128c0d7fd7c812ba18ddaf2c

            SHA512

            381a1d3ac33d7789d074901ff6ae8c9b15cc212c9ed99d7db6b743bd51da8abc8363d464e805d4ee1a754d4ae28461fe78ec77105d88ab411485646da0209115

            Download Submit