Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 07:41

General

  • Target

    c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe

  • Size

    70KB

  • MD5

    c28df91181f376b966d558fd74b33efd

  • SHA1

    3a5881092174ef953d427773d43b8c31d8edd1e5

  • SHA256

    c7c6223c4bf0cde83792b7d19497da7572b42e3ff4b0659f7c379b47c51708c9

  • SHA512

    237a84305f3a862acc5951dd4af3aeb9630feebaa94967dd89db0ce56abd4e4ca7487199fbe8f813ea663591f02780fcd9eaf901206d95975082ce1ebb4abeca

  • SSDEEP

    1536:NYaXzJk4lKgkR3hA039o+vBpb/H7NEDVz+kTQpH5M:NhyVR3H397BpjsokToH5

Malware Config

Signatures

  • Renames multiple (215) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3472
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1352
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8424.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:844
          • C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:3716
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2816
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe.Exe

      Filesize

      603KB

      MD5

      e06d406678cc8d0e514cb0324f8a1d4b

      SHA1

      2111af41f93cad49281476b5341ca2828c055f7c

      SHA256

      be326523a0a393371588ca9af9f34a419f333758bb1d0d90dcfb738da96f4db0

      SHA512

      20fa6757a307ca7d92e0888dc0f1151c91a22758e9f50cd80c352e08f441a4d0160cebf1c67057bf7817a582b9f77b6704858f96e56c52f9727c4f522d14ee5b

    • C:\Users\Admin\AppData\Local\Temp\$$a8424.bat

      Filesize

      614B

      MD5

      6520f397fc04e94cf530d2cab0194724

      SHA1

      ff749c040f56be119fb4d60736f79f60c815a76c

      SHA256

      21df893558dcec2abdb2760eaff61ad8a6e2f98c76044c0e7dc10dc37741b8a0

      SHA512

      e8c13b2347e68384c6b98f4f82999f63671ef3daea4c6ab0a9c639b0eadf996a47f6c5cb450f3f6b42c0e8afb3c084ae8dca2b224dd0bebec0926a8c8bdbf61b

    • C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe.exe

      Filesize

      11KB

      MD5

      25d3c1a5dce621c2f5c35bde131b32e2

      SHA1

      8d1727e136f26bd8386e7237d50cc6b39ca1362e

      SHA256

      53d85864c9c2a58b0d2773c5aaa00d6862a1780acb53625f6e054cb3c2199ad6

      SHA512

      489c7b2aa0cacf8be052249b471883fb7e7ce6e4a178643236e039ae571145307381956ca85c22101aad4dc757ea104146ae7c3938dd492c1c9ef85bf36533a1

    • C:\Windows\Logo1_.exe

      Filesize

      59KB

      MD5

      ae94cf26d3cf1ddfec5acd7270045e54

      SHA1

      575f7b9eedba31fc3dacca8444ae091d369c968e

      SHA256

      5ae541ab2e90eef03ecc84522a6af155985ecb961382e1b81f6238f22ec4472b

      SHA512

      f69ee24775e8e048b80705c7432c11e6f1a6041bad4747a033e48fce3472d8c72d3b0b049316eaba4a8cf14ec840e8e1a65fddcd4f038347996262e48ccc5c27

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

    • memory/2928-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2928-1-0x0000000000510000-0x0000000000530000-memory.dmp

      Filesize

      128KB

    • memory/2928-11-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4860-12-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4860-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB