Analysis
-
max time kernel
131s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24/08/2024, 20:43
General
-
Target
bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
-
Size
95KB
-
MD5
bf5e595d5d73e8d2cf28dd4a2c835aab
-
SHA1
ce020548152a7838bde8454bc912b1be02265995
-
SHA256
fbab092e7f035874aa98fae6aa3441573425672f22fd8d6e3cfb524fc69322f3
-
SHA512
6025386318c0e4a8ba086c72e6b64ac257f3cf84e793583ae640f14b6e4b877d3539edc1d81b2b66aa4708ba913bc0a21e32fe4395f58ed6c5741e7a71e31176
-
SSDEEP
1536:EpgpHzb9dZVX9fHMvG0D3XJYwXqf2gUBglcADKd56zAmxFGlbJUcFJVKMgOG9M:ygXdZt9P6D3XJzqOgkjADKd5H+FkFJn1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 11 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk49.icw"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk49.icw"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD53fc5639771ac2109b9b785eb798fdf20
SHA11b82d39e7aa2ff1288a4a8307e3a3eefb601d41f
SHA25626ae0538cf98657da39eb016bf34ded3304f429ff03d5e92ee242efbcf892110
SHA512e1faea247e7a38df1f964e9453c2a8eea4733c0bf1fcaca7dc2a007f47d2156fad386fcbfcb3829c9559c487f0915190fbb5d04f459a2998fe3e598a3ebf8671
-
Filesize
471B
MD5e0bb119b734bd28ccbf31009397367f5
SHA154b097cc98bfe23500e25603d088a6b3eee7c97a
SHA25605dc8c8c93f13fcc388a93f5cf37bc6b3ce00112b91204a8349f6e5c739f3036
SHA51237648d6d957b5ae64cc5a459d144ca693b63a83885b19221c153b0aba0bd7aff392ca75b375bd2d7a7f8be02de0bba804e50f3afd95e73a4357089cc32aba147
-
Filesize
404B
MD591c8297a2aa173f21e5ea05303dab8d5
SHA1018ec99dc2786c79ab9b6da2aa82ca7e69778818
SHA25685b2a9ce55a9bb9d9bc60f14302787c21c6afeb9199224e50ea400b3a5200c04
SHA51275dc43426f3cc61d5bb009e094fe116c70acaf4fd551f4bd1670a6d480749d34a450a03a48a3abdb7883dff3f729519b94bdc95ad322d03bb9f55f1bf4c7a55a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
44KB
MD57c30927884213f4fe91bbe90b591b762
SHA165693828963f6b6a5cbea4c9e595e06f85490f6f
SHA2569032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994
SHA5128aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab
-
Filesize
742B
MD50753d1d0f8471cfe4ce16631eb5dc60f
SHA138417fad21ef6e56bc24b4fb7b6c65967d06bf30
SHA2567c73b3ccdba0a0db983b57527abdb2cf70d1bc588d402d93320248e25ec688e1
SHA512fd3718b45f33e838bc7ed1fcd7221235c45e3a2287272f344b4b1f6262db4cc3162d220d5791872689282671dcfde0d9e7c146800d8de75059cd5cadc38adb79
-
Filesize
80KB
MD5cdadfa1995ac40ecdd51e83c0d67bf4f
SHA1aa076ea83d578e4057ff9fd1e7923a497c133e8a
SHA25656afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2
SHA51275d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9