Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 04:32

General

  • Target

    b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe

  • Size

    22KB

  • MD5

    b65a76fd42efc7f36732615706b3b4f8

  • SHA1

    e09918f51e18329003a99f158daeae42d37a40d7

  • SHA256

    c6c491d1e94107c1019008e9862ed1f5d860488dd3b217938383cfe27c66104c

  • SHA512

    7b74be37b4529ec2646217205402ccd11c459e4ae5e4707d527e96a2a8a6876b004100a5415c6c053059630e8f60ff4251b41020aa0a56930fba620850a9e844

  • SSDEEP

    384:9YktYUvegZT1FurcYmkSQRbGyHYF5pJJ0llqy4txdGdeUXqOkiz:qktYkDZTq4oSQRbGgYLpfSq3kAZZu

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B65A76~1.EXE >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\A1A6BC2E.dll

    Filesize

    215KB

    MD5

    2263fb4e09c06ddf4af1f2e6e6eea6ae

    SHA1

    3074a2bfcca0a5dcf51c50521e7ed532ac8bb107

    SHA256

    3001d283c905dd498f58f7a74a11cc4fc0331fb4de1e9fb0e6e80328abce43e4

    SHA512

    7218a02a0644f4aa673692c6f00cc066f199a375c1908cb159280f2350bc039b78eecf32b36f63627bd026e361f43b6f26ad7cd46886e698ddd63c540bc174c1

  • memory/4976-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4976-8-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

  • memory/4976-12-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

  • memory/4976-11-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB