Overview

overview

8

Static

static

3

d17dd5050c...18.exe

windows7-x64

8

d17dd5050c...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    d17dd5050c9a4eec4903767376829500

  • SHA1

    0b6599d18ffda4baa21f4bc09ae9e168d9eee802

  • SHA256

    2b64e39e9ab434dd665ac078b8626f093af9933d051972099f0a9599da1c5f26

  • SHA512

    45239813b612f821bb2491511fdeb77cd566851857c5dbf6f90191fe4a864eb5f23960f5a2b8c3f23ab01a50064e03a5b3e4409fe876306d8453f60a9b8c3476

  • SSDEEP

    24576:EInXgjK/K6dipju3/YQX24Fu+WqAH2k8bQpZrdETYl+nfTQxij6IbIcL:EINSRjuA02J0zbQLrdEi+nfTQxijnpL

Score
8/10
discoveryevasionexecution

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Windows directory 27 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\install.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\sc.exe
        sc stop ctf32
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4016
      • C:\Windows\ctfmon.exe
        C:\Windows\ctfmon.exe /i /u /h
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1460
      • C:\Windows\SysWOW64\net.exe
        net start ctf32
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start ctf32
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1716
      • C:\Windows\SysWOW64\sc.exe
        sc failure ctf32 actions= restart/1 reset= 10
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3788
      • C:\Windows\SysWOW64\sc.exe
        sc config ctf32 error= ignore
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4320
      • C:\Windows\ctfmon.exe
        C:\Windows\ctfmon.exe /i /u /h
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4324
      • C:\Windows\SysWOW64\net.exe
        net start ctf32
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start ctf32
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1760
      • C:\Windows\SysWOW64\sc.exe
        sc failure ctf32 actions= restart/1 reset= 10
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3588
      • C:\Windows\SysWOW64\sc.exe
        sc config ctf32 error= ignore
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3288
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\ctfmon.exe
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1796
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h C:\Windows\syskern32.dll
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5084
  • C:\Windows\ctfmon.exe
    C:\Windows\ctfmon.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\clusio.sys
    Filesize

    310B

    MD5

    1fcf9ba087443dff8bea77207ee82653

    SHA1

    23b90c44e17d0296a481322a4bc497f39fc4388a

    SHA256

    d0228d2508e9187c56b9f0b032f6d28cc5cbb10667e1e12d9fa82f32ded7071a

    SHA512

    7427969b398e3080836e03f175bc017ee1bc55cc1023b7ce7218581b3ec6c75c9a4ed5d3ab2625a37b1a75c3c97561cd14bda4a96f0196ec3a55607cc39ae114

    Download Submit

  • C:\Windows\ctfmon.exe
    Filesize

    972KB

    MD5

    a97d57906b9427d2d76c1e24d8efc36e

    SHA1

    6d1fef4409bb45a3b03c4d8f1eb5faefcc9363d2

    SHA256

    71f870d447bd74419d718e28c9ed8a3c3a47e9f0ff8f852cb8790903e5d5d50a

    SHA512

    ccb1e1fd83e5d22bfab061373308918d533041b92b46d768e0b410074fafa0893cc8c63a021eeb6ba97f42becbdce8666a60166a588d2340896855d9d22b77ab

    Download Submit

  • C:\Windows\install.bat
    Filesize

    575B

    MD5

    25536ecd5e85d2e751c50d9fc448d5b1

    SHA1

    7950fc3f1ba078147844b1157ff9c62ddaabf887

    SHA256

    4e87787cf54db726dc00b9b5ed90f09cb293d81fb3a1b0af160a8674970c92d2

    SHA512

    b695f588d9bb64d4df4a7be1981fc644cfabb5967ac4427548a7746ca9f57cddecaf2512daf67d917d2d31f4e32a0116b834ff88675c7cce93f1088e1397c1c1

    Download Submit

  • C:\Windows\jerltybit.crt
    Filesize

    973B

    MD5

    7b8fa286633f087b2faf9a9584dcc72a

    SHA1

    d1845d794abc47f610e88aecdc55b7fb31cecfc8

    SHA256

    015c0cdeb93d4b5ed1c7ee1719be6136eaf871dbca5f9fc7c24492093e6b1712

    SHA512

    9756e14708d370ad20f4ad8ff8cc8f739e5575d7a6049fa6fb1af8936e43d764ffc2fb5cf515e127a2644329b4bd953a6237294e8c60097f5800f6b639cf63b6

    Download Submit

  • C:\Windows\libeay32.dll
    Filesize

    828KB

    MD5

    672fe0788779d4b30b8bec4efb32352e

    SHA1

    52f9eaf79480602759961346beac9489a6b4a13f

    SHA256

    b23cdd7e1189750e3b68edfa2402b00bb92a8a9fe303ad44cab4a33f07d957b8

    SHA512

    50d8fbb0564642ded75818c5fdbf52e1783e7707afcc4f9f44959b81be7cfe3c210b93d2e563738b94ee53d88132700e090678402527c38d9a2b0cf13afb9d66

    Download Submit

  • C:\Windows\rasptq.sys
    Filesize

    1KB

    MD5

    8dd2f2a1e98900b79d67541f7656873a

    SHA1

    65e6035530cbc8b19deb6dd678fa64cd6552dc5e

    SHA256

    26e6462fed6f154a3e09a17338249af30feab16a9636560c5d7e31f6cf566704

    SHA512

    408a5ffee18e437cced77ee9cd76884ce909bb92f7fd4b0262c52a1c79165055f4020966a74bd09d4046e770b0a324f3d13cc66e1b5eba72bef9a83d387bcef8

    Download Submit

  • C:\Windows\regedit32.key
    Filesize

    963B

    MD5

    2293486183632e8634aa30a1798bc5e7

    SHA1

    6a75bae4369c16450858ace07d66d30f5a0532b2

    SHA256

    1eb5b1f5a0c14f2602c61179c275b1e30059eb3c69e48821aeb44d4f06395576

    SHA512

    b332f40791897b4dc3d83b267c9405da35cbebc521cabc2fc76bb906f45355b20d37696fee91d5b139f88aeba92364fda720b167bc6399078a2903a842bd1bac

    Download Submit

  • C:\Windows\ssleay32.dll
    Filesize

    156KB

    MD5

    fc7aff0c5c8d6ef7b24d6e73c754f8d6

    SHA1

    87a9b952f7ed5883b21bad39c40d3b6cc58df3f2

    SHA256

    c53e0fb93cee6cc865a109f7447c92020f3c05684507b93a763a1e6f77b2bd20

    SHA512

    4e049ad03e65cb1d4a57c8e6c1c33cb882df69deafa89af5f23437886a611eb02d4fea6d7ca4d2b0a42892e821711fcae6cc1ab65714f307dbff945e5e68b563

    Download Submit

  • C:\Windows\stc64.bat
    Filesize

    114B

    MD5

    df01a7d9e6b061814a003672acfa0c21

    SHA1

    065ed753b19efd9d28b264c394b3d6601c6d7a67

    SHA256

    055738e2e2573f643980c409300ac1b9a71405a44f09060b55c9f2116c2f9b32

    SHA512

    769b624f064f1d3a73040a954e49df1bf1eb47b400a2664ea89cc6fec211f8ed154d2965e6d4c36833ab7c09cba4f821711620dd68e329dbe2b6f8f260c7a15d

    Download Submit

  • C:\Windows\syskern32.dll
    Filesize

    454KB

    MD5

    a8faa200904691b0838726ba66989a1c

    SHA1

    304e210a301f4df7c88834c513564cd07b6504bf

    SHA256

    5d0697f59b041f7c8bca20bf8a3df0fe1c300bf7f5faad8211198205989a0bee

    SHA512

    457f28dd93639948dafe2c7cdc126e6977807f90ee0482aba32872d354dba90591d6290dbffa5ef013c9b368caa905e32aa76acf2a74d0abbd86abc239ec5380

    Download Submit

  • C:\Windows\syskern32.dll
    Filesize

    454KB

    MD5

    ab8ebbb672d1a22c5ec34ef53f788151

    SHA1

    39405dda44c77684d3c7f724a640adede02259bc

    SHA256

    8343a7b725bf7f2c7055e8a49cd1574beaf9611878ba17f70f16d5d47065c9ab

    SHA512

    408352d9398b32ba934d1ea4e5b3a151db279ec01b476bb5ecf7515eff8b2efee17ae7f40810105f9ab07495dc37414608433ddaf4688856b8b11a1d5bf005aa

    Download Submit

  • memory/1460-75-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-46-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-71-0x0000000002680000-0x0000000002681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-70-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-69-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-73-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-76-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-31-0x00000000025F0000-0x00000000025F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-74-0x00000000034A0000-0x00000000034A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1460-68-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-67-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-66-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-65-0x0000000002710000-0x0000000002711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-64-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-63-0x00000000026E0000-0x00000000026E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-62-0x00000000026D0000-0x00000000026D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-61-0x0000000002720000-0x0000000002721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-60-0x0000000002700000-0x0000000002701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-59-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-58-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-57-0x0000000002670000-0x0000000002671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-56-0x00000000026B0000-0x00000000026B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-55-0x0000000002690000-0x0000000002691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-54-0x00000000026A0000-0x00000000026A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-53-0x0000000002650000-0x0000000002651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-52-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-51-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-50-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-49-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-48-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-47-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-72-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-45-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-44-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-43-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-42-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-41-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-40-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-39-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-38-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-79-0x0000000002490000-0x00000000024EA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1460-78-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1460-28-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1460-32-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-33-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-34-0x0000000000900000-0x0000000000901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-35-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-36-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-29-0x0000000002490000-0x00000000024EA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1460-37-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-30-0x0000000000A90000-0x0000000000A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3424-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4324-195-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-201-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-198-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-199-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-200-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-188-0x0000000002FA0000-0x0000000002FC7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4956-202-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-203-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-204-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-207-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-208-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4956-209-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download