Overview

overview

8

Static

static

3

b4b602c182...18.exe

windows7-x64

8

b4b602c182...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4b602c182251256d93cd3ac38c80ea1_JaffaCakes118.exe

  • Size

    4.7MB

  • MD5

    b4b602c182251256d93cd3ac38c80ea1

  • SHA1

    702caa8790a2dc43302bf4a837f1a1ffda558121

  • SHA256

    dd0ac90dc00a212e95eb4ec74475cdde57e1575195a369335cbbdbe8a367927c

  • SHA512

    947e661d7a8af1ac6a0cc5eb98826d56aeb6048458c1db0891e5d00fe34ed9aad1d0bdddb31d84a12ef2b6585efd4ef08842c5a1fb0b086afc9d4982a7d693e0

  • SSDEEP

    98304:mbPn7bD0Bs/AaKXx1VNLKlQ/r3zHsxngS9MJCEuolAFq+MaLv:mLHDt/fyTAa/rDH2xMJCED2FqhU

Score
8/10
discoveryevasionupx

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4b602c182251256d93cd3ac38c80ea1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4b602c182251256d93cd3ac38c80ea1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart2.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam2.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4548
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam2.bat" any_word
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Temp\SonarSolutionsBuild.sfx.exe
            "SonarSolutionsBuild.sfx.exe" -p123908VDS -dC:\Temp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4692
            • C:\Temp\SonarSolutionsBuild.exe
              "C:\Temp\SonarSolutionsBuild.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4500
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sonar.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sonar.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:4028
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +S +H -R C:\Temp
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\SonarSolutionsBuild.exe
    Filesize

    4.4MB

    MD5

    9b8723149c4c4aee50f53a2f08be3a02

    SHA1

    a06614bd0e1bb8856b8fdc1b941b3adad9e58194

    SHA256

    db0b39d546fdbfe699c81dbf6f14b705bd00314102438ee5d101a2918cfc38bd

    SHA512

    26cc5abcc47d46a756fa489eb1237b6af420c8a6167372d6789be96a8b833c4a9814882bb07d829b21139e000b2ef59058422c89641fa0b3893f8eb8a150abe2

    Download Submit

  • C:\Temp\SonarSolutionsBuild.sfx.exe
    Filesize

    4.6MB

    MD5

    3174874c54ba496c13faeaf3c9a89e57

    SHA1

    2b871e0e3540eb0ecfe2288777b9e7dc76c3cce7

    SHA256

    3810a8fdb92b8a253d858772c0d34796b9b326a01820d1ca6afb2dfe777d2541

    SHA512

    52f9df197394057a5fb495ac662c942b6177462f8ae952fedc507ab60e8ff5828fb4a439f2cb20e22dfdfd336e7290337f043da3e93be7d1a06a3dfcc80caf36

    Download Submit

  • C:\Temp\sonspam2.bat
    Filesize

    178B

    MD5

    397b15d0dc10df35388eeaabf030bff1

    SHA1

    6d4c5835723063203fe43bd5cd5872acf5b84e47

    SHA256

    7cfb2f6ab63ab48188df3066b3a537273b77271dbfd5f22480f2f503e338adb9

    SHA512

    2147a3a9248873e87dd97555b33672f33d36c661460ebda1bfbd08cbd6066274f03b7969323ce94c205f557bdbe7a743bb938e95eedd484069dfb7c6df757e97

    Download Submit

  • C:\Temp\sonspamstart2.vbs
    Filesize

    99B

    MD5

    1f44ba5ac2e01f3db75315c14585b636

    SHA1

    3ae7ef5ec39345c7d25fbbe5e225f8fbdc4b019d

    SHA256

    16d9996f0ee8e527a6bc5304581d8a4761b1e93edc7f8fb52074219c00c6a1f2

    SHA512

    4fa90f5e97ad9e31c34229bc03b21ccc7a0a203246d2c7c7690b110ee2b8cf89c5d484f01150a43998481f2ad4879f3e83fbf5a06fe3b298f52a7e14a718aabd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sonar.exe
    Filesize

    1.8MB

    MD5

    0bb0a48942451a8258bc7087fd24a2a7

    SHA1

    b69aa2a06e26754ea43a4763dd300b358331e29c

    SHA256

    dedeee5bb27b2884138832f38f2e93298224cca0ed6fae80b4b08de9c24c2cd7

    SHA512

    b41318045fddc4c113a1ff30021a2f1ea442f72ed1eac8946d5b5e598b94b31ffb18e32fcfcf4fe3c097a5258c4bf72a5abf2048b83fbc2b54151d7e3b4fd585

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\php5ts.dll
    Filesize

    6.5MB

    MD5

    c9aff68f6673fae7580527e8c76805b6

    SHA1

    bb62cc1db82cfe07a8c08a36446569dfc9c76d10

    SHA256

    9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

    SHA512

    c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

    Download Submit

  • memory/4028-36-0x0000000000400000-0x0000000000664000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4028-41-0x0000000000400000-0x0000000000664000-memory.dmp

    Filesize

    2.4MB

    Download