Analysis

  • max time kernel
    131s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 20:43

General

  • Target

    bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    bf5e595d5d73e8d2cf28dd4a2c835aab

  • SHA1

    ce020548152a7838bde8454bc912b1be02265995

  • SHA256

    fbab092e7f035874aa98fae6aa3441573425672f22fd8d6e3cfb524fc69322f3

  • SHA512

    6025386318c0e4a8ba086c72e6b64ac257f3cf84e793583ae640f14b6e4b877d3539edc1d81b2b66aa4708ba913bc0a21e32fe4395f58ed6c5741e7a71e31176

  • SSDEEP

    1536:EpgpHzb9dZVX9fHMvG0D3XJYwXqf2gUBglcADKd56zAmxFGlbJUcFJVKMgOG9M:ygXdZt9P6D3XJzqOgkjADKd5H+FkFJn1

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk49.icw"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk49.icw"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4904
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1696
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\EditPlus\kk49.icw

    Filesize

    132B

    MD5

    3fc5639771ac2109b9b785eb798fdf20

    SHA1

    1b82d39e7aa2ff1288a4a8307e3a3eefb601d41f

    SHA256

    26ae0538cf98657da39eb016bf34ded3304f429ff03d5e92ee242efbcf892110

    SHA512

    e1faea247e7a38df1f964e9453c2a8eea4733c0bf1fcaca7dc2a007f47d2156fad386fcbfcb3829c9559c487f0915190fbb5d04f459a2998fe3e598a3ebf8671

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    e0bb119b734bd28ccbf31009397367f5

    SHA1

    54b097cc98bfe23500e25603d088a6b3eee7c97a

    SHA256

    05dc8c8c93f13fcc388a93f5cf37bc6b3ce00112b91204a8349f6e5c739f3036

    SHA512

    37648d6d957b5ae64cc5a459d144ca693b63a83885b19221c153b0aba0bd7aff392ca75b375bd2d7a7f8be02de0bba804e50f3afd95e73a4357089cc32aba147

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    91c8297a2aa173f21e5ea05303dab8d5

    SHA1

    018ec99dc2786c79ab9b6da2aa82ca7e69778818

    SHA256

    85b2a9ce55a9bb9d9bc60f14302787c21c6afeb9199224e50ea400b3a5200c04

    SHA512

    75dc43426f3cc61d5bb009e094fe116c70acaf4fd551f4bd1670a6d480749d34a450a03a48a3abdb7883dff3f729519b94bdc95ad322d03bb9f55f1bf4c7a55a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\nsqBA39.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • C:\Users\Admin\AppData\Local\Temp\nsqBA39.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    acc2b699edfea5bf5aae45aba3a41e96

    SHA1

    d2accf4d494e43ceb2cff69abe4dd17147d29cc2

    SHA256

    168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

    SHA512

    e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

    Filesize

    44KB

    MD5

    7c30927884213f4fe91bbe90b591b762

    SHA1

    65693828963f6b6a5cbea4c9e595e06f85490f6f

    SHA256

    9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

    SHA512

    8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk49.icw

    Filesize

    742B

    MD5

    0753d1d0f8471cfe4ce16631eb5dc60f

    SHA1

    38417fad21ef6e56bc24b4fb7b6c65967d06bf30

    SHA256

    7c73b3ccdba0a0db983b57527abdb2cf70d1bc588d402d93320248e25ec688e1

    SHA512

    fd3718b45f33e838bc7ed1fcd7221235c45e3a2287272f344b4b1f6262db4cc3162d220d5791872689282671dcfde0d9e7c146800d8de75059cd5cadc38adb79

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

    Filesize

    80KB

    MD5

    cdadfa1995ac40ecdd51e83c0d67bf4f

    SHA1

    aa076ea83d578e4057ff9fd1e7923a497c133e8a

    SHA256

    56afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2

    SHA512

    75d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9