Overview

overview

7

Static

static

3

bdd4cc3db4...18.exe

windows7-x64

7

bdd4cc3db4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 03:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe

  • Size

    792KB

  • MD5

    bdd4cc3db4f1cd008d92fecc1323fb18

  • SHA1

    0f5054ead0721a9197daef82a52120d8e58f5211

  • SHA256

    771b17b8bd7f1a10429d713e30526135a814ee181b38210bcf72439fba3d2993

  • SHA512

    2072e89de85b606c1a4e88b7e5177d907165d05b393be72721c3ff7eb8a228e3de773e867e3db06164118696f338c2395cc40ed87543345a9c6bffeb509fe2b4

  • SSDEEP

    24576:C6rTTrLZt640HYTIegYgAAldoCXJK/KbhKMB:CCTPRmqAXoC80YM

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 40 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\spoolv\run.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Windows\spoolv\reg.reg
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2528
      • C:\Windows\spoolv\spoolv.exe
        C:\Windows\spoolv\spoolv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2864
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +S C:\Windows\spoolv
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5032

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\spoolv\aliases.ini
          Filesize

          71B

          MD5

          9e148b91fad20422c534814cfd1f783d

          SHA1

          a10cdcef1e5cd0c0248dc090600ed2ae03b9279a

          SHA256

          c313dde0fe9c8dea102c1db4b7944c89f9e4aec672bc66a0d3d12360ed8cfdc1

          SHA512

          4e09ec3044d3711679b14c4876523983ae90177c6f15f0634e317a44d46ddb1adae7625c3cbe8d11650ef7b72cf8c976eb358e71f76c483196b65f314c426975

          Download Submit

        • C:\Windows\spoolv\ccc.mrc
          Filesize

          9KB

          MD5

          4a10e3e0e7816bcabdd36f600558226e

          SHA1

          c0bd4c2bc0b08c4e547242cff2e943433986fba8

          SHA256

          40d1e0adbb667d9445c3f40e1d96e7aa41471f161ba1a685e167a83b9805c981

          SHA512

          7c8600077e4b0a16ebb512f94b14ddf956b449b3d339335ae30bbd5c73354de87fa5cad7f98efe41c02f62eb133f1eebdff44bd8bed24735e69a3dce55922ea2

          Download Submit

        • C:\Windows\spoolv\control.ini
          Filesize

          42B

          MD5

          405d882eed0cab5b915aa470a265dcc5

          SHA1

          7adfa3476bfc1c248619f0f78da6791faa7aa360

          SHA256

          32680a610219e4de3cdfb104e71a9b3b1c86d3fb6c3f18328e6e161d2e3dff8b

          SHA512

          03a5ce9a968196c605330e8e41a8df57ff86b1b60b60b38a453c13f469bd372679ff55f325cb336cb9c43db6d15b7554c7474fcc1f7515d8e4ef748d278ee723

          Download Submit

        • C:\Windows\spoolv\fullnames.txt
          Filesize

          76KB

          MD5

          604510c63582646e03f1d2e648f8b866

          SHA1

          7ba3a5d68d58c003d2383b8ed02bb88a61882ff9

          SHA256

          99a8c4d6918c89193ac2b6e11d6dfc49dd197b6b69d020dbb7a04b36e33c9bf3

          SHA512

          d27b2576361eee442ec0997adf0e1a7ee1b17dbfd1ad6bc29456eb60a2a84e4fd30e81c5ad095a745a71634eff883cba8d68666a21ba49c004544ae02d6197f1

          Download Submit

        • C:\Windows\spoolv\idents.txt
          Filesize

          132KB

          MD5

          49bf0b00c3af898ba53352670a99d9d5

          SHA1

          05ff339132f58fd5ded52d6caf686fb6afd34f48

          SHA256

          bcdac3b11b8f8238135b16e1e304ecfc75249cff67c148f800ba8c60c2c70800

          SHA512

          6b729a533a6b344ae6954ef57d735d802389fa6da2bc1acf972b2762078121299f85bca50c6c154db1e1afe189c5eca8d9466f8f41231f196a14370e4c416ee1

          Download Submit

        • C:\Windows\spoolv\mirc.ico
          Filesize

          5KB

          MD5

          e09aa9787af5cc53fd7525dd6693cf10

          SHA1

          57445d0779a66c61741822c0a7988573efee13d7

          SHA256

          c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

          SHA512

          b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

          Download Submit

        • C:\Windows\spoolv\mirc.ini
          Filesize

          3KB

          MD5

          bc99034df722b7f971e040408a4d0389

          SHA1

          2244eb8681bef577958d948a1695da806e543174

          SHA256

          19501994e6de14f6164819ac0ee17343d17eedc0f13142dd280338546e92f213

          SHA512

          1c8ba40c8b0ff063ee2ddd586e3efa0ed8ba48df8c274490c3910cb9917ee276a866bb9b6805477843ab0363488acf066795724871577864b757afb02d9e4d8a

          Download Submit

        • C:\Windows\spoolv\mirc.ini
          Filesize

          3KB

          MD5

          3d43c6451e61e72f18f45189798e0e4c

          SHA1

          9c899ffdf249e1d46ee1fea5a2e293cff9b8f17e

          SHA256

          6638366c0a27072ba362e078e7c0891f3df30ba420754536c9f1249f4ffa177a

          SHA512

          fc415fec817bc07bd2f0b1e6f6b38076d99ce71235af70392dacbc37160a6846bd02886644e05720545d8ad54de9a69adcd54c6664f6ecd37bfad5ac2463ef32

          Download Submit

        • C:\Windows\spoolv\mirc.ini
          Filesize

          3KB

          MD5

          060aa57a583a9f085a64e32ac832ddb4

          SHA1

          08c0d1ac014854055324932524828fa864976ed6

          SHA256

          9094a23863e531e7bf130812b3b3c793b9eda853ff193cae7f97978349a17f71

          SHA512

          6459ab330aabf94956fa394f5347b7e62d7b87fe3280f0c59cce96d37d02d1339cbc51bf75f0efde0cdacc98015dafdfcea46003b361b1b822350ed2e3fc9adf

          Download Submit

        • C:\Windows\spoolv\mirc.ini
          Filesize

          3KB

          MD5

          c0191031d352e047decf459502252e04

          SHA1

          a2da243fce11241075d45a33336f0e7b467880d2

          SHA256

          66f0d8323046c53c9d865a682d460d2ee6a3fe532b1ebeb224a4ec6e193affa0

          SHA512

          e05a589c0d8e57d765ca8fe77499ed087a80254e9d84e780faadca0c1fcd363a8569f36b0acfd1beafae53283b1e0cccfcb6ceba0cbf311b08b44706217770c5

          Download Submit

        • C:\Windows\spoolv\mirc.ini
          Filesize

          3KB

          MD5

          a04da21075614b33c3e8a73d42b15e13

          SHA1

          f63a2ba0486ab4156d9af274c17affecbb9111e7

          SHA256

          388bc2d7772e02dda18d0c51a1c12b7e370d6e34093cd6a662552d7b94cae2ea

          SHA512

          04e0c22e14f5dc706161b38fc0eeefb718414522ca8956dd6cbd8553d92a3ef41a0ed7a92f59555af157fc0e4ae18d3f5bb813324ac4b3715aabfd7b7e5b36b0

          Download Submit

        • C:\Windows\spoolv\reg.reg
          Filesize

          1KB

          MD5

          3aee26844ed0e98a2bc350b0bb8ed2eb

          SHA1

          28dc6eb9f9ba8e573370cba29049b63719beb633

          SHA256

          a9deb575c465fa6a28bc38e2e61088a8f16ce30a94844cccf9abd4fe17876f43

          SHA512

          70453a100fa5cfcaa7727308b6a2757016d90078ee583330dd0ad10eae1021a9314b0287389fad7fde817a97a62795838138aa5bc28fbf61e2fcdd2be80e2751

          Download Submit

        • C:\Windows\spoolv\servers.ini
          Filesize

          882B

          MD5

          0c50f397f8202d830f3102619a4baeb3

          SHA1

          3b90db0c8c2e2bb5504f31814a61fbaf88cef283

          SHA256

          f2120c3fac12eb56aea82912ca6c934525bbac642bb3a79d9147a694ad294b33

          SHA512

          421feab3819c1b8e5bbb381eda9d761ff2194977c60056d48a2afe8229e6a5cb1ac50cd590f5740c84ada269f4450bdc2fb7f5179a80896c5b12bfaa12651237

          Download Submit

        • C:\Windows\spoolv\spoolv.exe
          Filesize

          1.7MB

          MD5

          b766003f431cad186bd115f5761592d1

          SHA1

          33cdfe6f7fa6b321f9a51cc051c32ba924164b10

          SHA256

          22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

          SHA512

          d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

          Download Submit

        • C:\Windows\spoolv\users.ini
          Filesize

          67B

          MD5

          e2c6e41a58d2d119301fd0f86d6cd584

          SHA1

          3468d0db0ef6e10e1d3d42237e0a7f54a893b91f

          SHA256

          c8e855ef54675e37d79b4e8c6cf67396800ed809e4b95d6deb7cce971acd2d93

          SHA512

          c79a00db0aa1b182673917b5f28219fdba3b38d6c91c4e04bd71dd3d2b3db98529a506c3fd8dbf0a4a5760cb3c240e1aea9b4407081da591c39a43f0c5892b19

          Download Submit

        • C:\windows\spoolv\run.bat
          Filesize

          135B

          MD5

          ccb995d58bc99b34ea3fa3e97c5583e0

          SHA1

          d72b86500a4a02fa7ad31b7933ce714d9abbe7c1

          SHA256

          27948bfbbdeb54b01cd00ce467660b7a59e6019d9cd61b4e8d687829032a748f

          SHA512

          898492b02492d0764ebf2218e2a2dfe29bcd97213fe577b2eae3b03a7c418d91fbb5b847f76c7e606ca8c95916a5de6423d3fb0a060f32fdc9080f19ada3b4dc

          Download Submit

        • memory/2864-369-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-375-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-366-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-367-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-368-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-386-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-370-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-365-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-376-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-377-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-378-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-379-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-380-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2864-385-0x0000000000400000-0x00000000005CE000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4608-348-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download