Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 14:10

General

  • Target

    d48a7fb7d2cc053ab2807e3ef958c8d7_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    d48a7fb7d2cc053ab2807e3ef958c8d7

  • SHA1

    cc273d598ddec5a15307f46b4a480ec1898f8a9a

  • SHA256

    98372210499bdac73108a7ac32d2f1869245a952962ff4c55caba89b8794bd9d

  • SHA512

    430ee39c1cb13c0ecef4cabf54b5cfc809f5a53d71a6c5448f07e34c80053ac3cd47b63eff038f7d3e3486bd1d66a19d5d79ba84aa439f1a2f394c11c2936490

  • SSDEEP

    24576:nSr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNp6:u/4Qf4pxPctqG8IllnxvdsxZ4UG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 8 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d48a7fb7d2cc053ab2807e3ef958c8d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d48a7fb7d2cc053ab2807e3ef958c8d7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2084
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
        3⤵
        • Modifies Internet Explorer settings
        PID:4528
    • C:\Windows\SysWOW64\Wscript.exe
      "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft172710\b_1710.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\soft172710\300.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\jishu_172710\jishu_172710.exe

    Filesize

    1.0MB

    MD5

    e2590fb7bac27dbfa512820e9139f28b

    SHA1

    209d8d0b77c7a8863a3c68464ce47f6a3f00d454

    SHA256

    4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

    SHA512

    a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

  • C:\Program Files (x86)\soft172710\300.bat

    Filesize

    3KB

    MD5

    3276e152f7be73f7ff71b21680fd29f7

    SHA1

    11d99f74607a166b79d43d7d93f8053ba95c2d0b

    SHA256

    348c59b0a1672999757028c12e4d3e1a5bf66be6a5188dc6dacae1e020954dfd

    SHA512

    bff96ffb01d959a8ee553313b2738a0e8006fc02716e4bd778e7d6ec7ca1ed4037f61abc3b36137ffabe02084f6c4fd192586e5a6c586c685942f6eb440b14eb

  • C:\Program Files (x86)\soft172710\b_1710.vbs

    Filesize

    247B

    MD5

    fcc8f479fcafc76754cf06eb3a83f100

    SHA1

    b8725f75db443d58f9701f3a818262621edc026c

    SHA256

    5c7ab7c228eae0014cb2dc14a44d58beeb223cac41ccc0f82368af31fef4c52e

    SHA512

    7eef9018cd24b464e5750666b81507bbeb1c3bf595777e0f8d486ced0ae7131e40c4e3661cded2370808c469d40f45871127550f8bebc6845f7f665932874546

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    7f9b88e0292691833018388229acfbfa

    SHA1

    50e3d82743913a3f81313549c45dab1ebc3bd69a

    SHA256

    2b930c9f3a0fff3fec9effa7f5d159d5b5c81465a1e23cf040cbcd6ab085b119

    SHA512

    e74cc60bceecdcbe66a67f62921daad7de864d20de476a3a18484b811ba97d1cafe702c2eacb6ba432119186db27f76ffc0fc692fd320d0c0228ec5d598c68a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    0387f7e7a03120743d6dd28f3821c5cf

    SHA1

    5c4feac5efa17881fd38399086c35d104ca126eb

    SHA256

    5415ba4d343afdfe4fd70e6836cd12c176d9c44a0db0cd7f341d796ca1f95404

    SHA512

    450cb1652a02bb3c997acf0c4258c5b3beaee13d95c80eed607f95dce0609800cbd371261c41e8e73f4422ad9969cc225112ac968c250ad8c759c9911d2ee7ff

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver15C5.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFIOOOZS\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\nst9C12.tmp\FindProcDLL.dll

    Filesize

    31KB

    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

  • C:\Users\Admin\AppData\Local\Temp\nst9C12.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    254f13dfd61c5b7d2119eb2550491e1d

    SHA1

    5083f6804ee3475f3698ab9e68611b0128e22fd6

    SHA256

    fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

    SHA512

    fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

  • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

    Filesize

    2KB

    MD5

    a02733eff3bcb5b60cbb0d07bcd8b0e2

    SHA1

    1383a5e092bc758750d50e8585f880bd80560c62

    SHA256

    6270394214370f0ff4389594e3a1083579b2325f08e1df7a3a29f141935593d2

    SHA512

    27d236c06a0d0462e8b2681c28494025f1b19e2a6e23c8e000679a78f7208ce25d9d95eb2902d0437b221df3dab3b4cb14e90d39ea27636a09167f696045cd31