Analysis

  • max time kernel
    140s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    c073afd8de644949c2c3598230216a66_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    c073afd8de644949c2c3598230216a66

  • SHA1

    c057eb3365f7be929ffbaa6ffd29a58cea83b9f4

  • SHA256

    c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d

  • SHA512

    346143dc5c765cda704370dfa5ac67ac40f573f8e51f294bcb1a060042af79dc639abf31d4bae1b129c5a97398a6be798ea01b6dcd79b83a827fc0c6c63952ae

  • SSDEEP

    49152:BZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9I:BGIjR1Oh0T0

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\24436.bat

    Filesize

    212B

    MD5

    668767f1e0c7ff2b3960447e259e9f00

    SHA1

    32d8abf834cce72f5e845175a0af2513b00504d8

    SHA256

    cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

    SHA512

    c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

  • C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt

    Filesize

    10KB

    MD5

    82902efa5f6150b52a85cf3bbdf1571a

    SHA1

    6a001febc1a27a38180f8379447ef48b87b5a51f

    SHA256

    1b63b6faf31df104a1d46a542bba5f9ac1364017470805afb3cfad52ac898b30

    SHA512

    5e4c5b5ab82fb96699129c95b2d709ccc4a58b14f6acc52afbeedd099d558591fba269c2316da63ae2ee2173b9f674624ed89c48473202d524f6dd8ad2dd2631

  • C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt

    Filesize

    2KB

    MD5

    c0e2005d15ca85b8b0032b5939cc5655

    SHA1

    953ef2d872ffd164142665d3e076d0a55127ef3f

    SHA256

    17367c28e010e828dc6aa1abf73d86136e0b2e33ce886f09365e950955a98ce3

    SHA512

    69642555cbea5de86d600bab7b63b0b0e92fbacf8e986711a4b2004c2696912fc15d149c7c9d011b46ae3e3aba4852d9b791c07fb1f76b9c9c685aeb78a43e74

  • C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B25~1.TXT

    Filesize

    113KB

    MD5

    1c84506eaaf182f37aae28bee14594f5

    SHA1

    03f50088d9649b61ba4bdb9de5bad45847fd1ce1

    SHA256

    4c074f3139d82b90a8235e788179e528b0fc636e1d04c3494976ecc6b01168fc

    SHA512

    bf619e79adf529c77d34926af6fd9349aba81c4e25890ceba58599175fb9987b44e04c6acc5f8227467a0c95e662f458fa4b6a36351ce9e05a0a1d59ec485bad

  • memory/3292-63-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

    Filesize

    4KB