Overview

overview

10

Static

static

3

b4a9451af3...18.exe

windows7-x64

10

b4a9451af3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4a9451af3eae12843ff4d2cc67d49cc_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    b4a9451af3eae12843ff4d2cc67d49cc

  • SHA1

    4441af6785df6cab7ce2424c78b47091a3bbf31f

  • SHA256

    5a1b92a89388b818ee6483e9c902e4a4211d059358d0bc1d97f23767f704baa0

  • SHA512

    8c832c99a516300eb577e2e6d66f02b566af2e30f6c2a3d8204d99a9a40d516840e98fe705522d9f703a9b114b0778f5fa3a19f4ce4f42085998f93d2cb5f44c

  • SSDEEP

    6144:T8O7Knvmb7/D26rfo9Am26fBXMZ8R3FXjrCTYTQdq4qJUGQBSpYCMnw2:gO7Knvmb7/D26zZ8R3FXjrC8T8q4qJgV

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4a9451af3eae12843ff4d2cc67d49cc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4a9451af3eae12843ff4d2cc67d49cc_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\quawo.exe
      "C:\Users\Admin\quawo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\quawo.exe
    Filesize

    200KB

    MD5

    c72f64949bd3db441efe33ab6345fb77

    SHA1

    d1464334d21248e38290a4b8961735bcbe73189e

    SHA256

    f4828831fa16d98aeb42ca6a8767eb39512d228d5a37879ec34a405e4b10a785

    SHA512

    f47b588517a7c0f91aa5441f7d1781e3ea7fa1cb13567e20ec4847725059929edb9f1bcd0b13b325ca9020bd9b6162c0c54b6218a51d884b92962bca87d2e3ac

    Download Submit