Overview

overview

7

Static

static

3

ba0b5ec370...18.exe

windows7-x64

7

ba0b5ec370...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    ba0b5ec370483c684c05b60fc058b4bf

  • SHA1

    cf1d5dd169ef3a94605dc627451809555082eb3b

  • SHA256

    e2e0161762b638e5e82bb7b2dfc9441e56ff72d6afce03944caab138546b74b0

  • SHA512

    221fbb763a45c9f60d96a684de83ff58a2a76f2010167f4ea5fda4e25c3f5b489d5fad32188bacb07db62db38a1d8cc94cac4a5063579f9c71b31ccb84bd1843

  • SSDEEP

    3072:xh2T+7eC8AutTBf4yt8QkZxOfZijfVxWb:xh2i7eiutTBQQkZ5jNE

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\sfc.exe
          "C:\Windows\system32\sfc.exe" /REVERT
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1136
          4⤵
          • Program crash
          PID:3972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 952 -ip 952
    1⤵
      PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe
      Filesize

      84KB

      MD5

      9c72f223301fac7fe0f08ad4c9862ba2

      SHA1

      c83c781a906c5628672150fafe1da9783a729bff

      SHA256

      034698d251a706f1b770a3e60f6ea0370516ba93ddb26d68372942cba1abe1c2

      SHA512

      c65544131a5c6ed818167ead9efa9e7f8d6d63501d663b59e07414737ddafe61e5d6d52f23244a89992b834479ca831e5ce4d2eddd474571c20103a2a3709dd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe.bat
      Filesize

      163B

      MD5

      cdc296bda76f85b5022d8aac54e64edd

      SHA1

      0ea756f500e361118738584585c61c9fb8672560

      SHA256

      7f8d4b841222009fdde7dcfd2a347b38a86dd5e140988555d8ed218267c0d044

      SHA512

      03411528c1173e3d8b3fe827a169c0e2c31b3c0b1d88ce7f38b1979ad9045d9cfa321436736975b80de40530b4219c57762ac5979b0579bbfc7f754065264fc9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe
      Filesize

      26KB

      MD5

      cb37bf28a3cd84662d1f30cd7ef0f24f

      SHA1

      3e69117e3005a64a2a7c235128f81d46160ba03f

      SHA256

      637e392f5ba58f296c450542b49c6ed3cc1e9dd61be9cc1b9f2c37ecd1068f6f

      SHA512

      b19062ce657e876b6699b7b1d45ad36f358742795af604e5c839e2f53e1ea7ff70cc44e5f70ce7bc4e74ad02cb4363025e64c7d8d63d86a2f0625a7fb57f05d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe.bat
      Filesize

      157B

      MD5

      2e07854f3dc93027a016569c2b08f15c

      SHA1

      161d1fd2437c00a1cc740db6493e18ec5a7bf867

      SHA256

      e91e1470858fd33e10ccfa500ffe47c3aad4b7b965ff2511d613f675f3bc736e

      SHA512

      5e387480f781edcae97cefa0bcdf543302c4b7e86bcfde5d38d093349962d438e082c371f039c2b5c12956e61eac16d1280ea77b91f37503b8aad2b7a1c94b2d

      Download Submit

    • memory/952-15-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/952-22-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download