Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:52

General

  • Target

    c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe

  • Size

    48KB

  • MD5

    c07a9d36565dc06adb68f6113746d801

  • SHA1

    c5815d5b8c4963aa05e1c63d5df777000998a7ab

  • SHA256

    b35a6e5a21b4bf295d8faa039e60ae0f25383c13078bf04ccea4503d806ea592

  • SHA512

    214e07c3c75e31fbb9c1d1feb6dc93e6f821f41bf68dbc14c960c19f32f5ae158024d36576224d9c2dfaafeb8a060c073c233e7794d148c497ab68c4ac875477

  • SSDEEP

    768:vUs685mAlVrTDOqbDBFZbhZGwBwX3gxVR8dhwbY2lBd49PsS8ffQNMyG6Slu:MsHbrnvjZbrwX3KqeLj49PsS4OMyG6wu

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4488 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\SysWOW64\0065.DLL

    Filesize

    37KB

    MD5

    77c69e31dd552f257074dfa267c59c79

    SHA1

    28a769edeea0781f313d7c3ec3f7003519c7ec6c

    SHA256

    b4484947b07aaadb90c3a31f07e019bcd72469db3ec83a21cbe8770314f0fe0d

    SHA512

    844bb44d603dff7469410e47a962e7eaebef3d49fff7dce9fe89a27171b649823f7d8b2cbe336c9647d67e07bd3a614b2fec7683b311afe5440036c1753ccad2

  • memory/3216-0-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

  • memory/3216-57-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB