Overview

overview

7

Static

static

3

d9edd89ca7...18.exe

windows7-x64

7

d9edd89ca7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 08:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d9edd89ca749455085e7f7c67abef688_JaffaCakes118.exe

  • Size

    576KB

  • MD5

    d9edd89ca749455085e7f7c67abef688

  • SHA1

    42f36526e59bc86bcaf5189eb7b721b6decf7d27

  • SHA256

    2f0cbaba5c7f7542af504c158bf1fe37a23b9093dfc5e7f613daead33f0c852e

  • SHA512

    c9475047161498710066bbcce5ac3a4a10bb3d9ba8bcb7d363b8ac694e00ca864bc0d332f2358291cb8b297645e4f83f46b6977da398474cc50564487c28c3e2

  • SSDEEP

    12288:rElnfTOw+WdkyUZPHYo/Jovolw/S1K5kU7s:AtSDWdkyUZPV/ug+/QKuP

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9edd89ca749455085e7f7c67abef688_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9edd89ca749455085e7f7c67abef688_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\d9edd89ca749455085e7f7c67abef688_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d9edd89ca749455085e7f7c67abef688_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Windows\Microsoft.exe
          "C:\Windows\Microsoft.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3088

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\server.exe
          Filesize

          651KB

          MD5

          a668e13eaf4c95df478f18448b4d1980

          SHA1

          1f52d54abdf2438e32acaaf00f8f9396d6d75135

          SHA256

          1d12eee82b5e97857b53435e21b6554566aafba56f83d763e8bb5ad9d26b78fb

          SHA512

          f8fc92bbb128bfbb453e560e63d5f884fa3dfabe1f8d94b79ba4bc67671db6dd35e96fd7ed06f4e454488b906dc2534dbfe50c9ea36af2d3f79d059701c87414

          Download Submit

        • memory/216-2-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/216-4-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/216-23-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/3088-44-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-40-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-35-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-36-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-37-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-38-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-39-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-48-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-41-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-42-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-43-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-47-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-45-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3088-46-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3732-24-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3732-34-0x0000000000400000-0x00000000004AE000-memory.dmp

          Filesize

          696KB

          Download