Overview

overview

8

Static

static

3

db08745590...18.exe

windows7-x64

8

db08745590...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 19:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    db0874559083b0af246bb7d04e08e81e_JaffaCakes118.exe

  • Size

    26KB

  • MD5

    db0874559083b0af246bb7d04e08e81e

  • SHA1

    8fd6da34a8989884581e63cda93c52854a302ec5

  • SHA256

    99c4a1e32143337ea29a8e8ea9743b78fed5fa1ebc5b3ac81305d14817f7d147

  • SHA512

    8d7c48bdb8f1286d51d400d82f1b44d52f55e2048e3d1aa6b930c64cadff0d34687ceae74c81b96225bc6c02168cafb65c088b3e333dca4ab1b391c347b77291

  • SSDEEP

    384:bBPXIezdINHTMAE8HLBdv3qRMJp8t/Vs5kVZRoFaScvGAllBKlThlejY:eezdIZ08HDv3qKJi45kPhf36tiY

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db0874559083b0af246bb7d04e08e81e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\db0874559083b0af246bb7d04e08e81e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\wincheckzy080601.dll" zyjkl
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\mycjjk_zy.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Windows\SysWOW64\wincheck_zy080601.exe
          "C:\Windows\system32\wincheck_zy080601.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3980
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\jkDe_zy.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3212
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4432
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:692
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4652
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2344
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\jkDe_zy.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4580

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\wincheck_zy080601.exe
          Filesize

          26KB

          MD5

          db0874559083b0af246bb7d04e08e81e

          SHA1

          8fd6da34a8989884581e63cda93c52854a302ec5

          SHA256

          99c4a1e32143337ea29a8e8ea9743b78fed5fa1ebc5b3ac81305d14817f7d147

          SHA512

          8d7c48bdb8f1286d51d400d82f1b44d52f55e2048e3d1aa6b930c64cadff0d34687ceae74c81b96225bc6c02168cafb65c088b3e333dca4ab1b391c347b77291

          Download Submit

        • C:\Windows\SysWOW64\wincheckzy080601.dll
          Filesize

          27KB

          MD5

          f2544044525f6647f3ac7a97ee99c20a

          SHA1

          b1f5c6f38ed50af9612c6c709eae02e62133cb58

          SHA256

          ee3633b3080b1a7eb11a98f02cbc9bf2b5b7ece1f47b4c50d5ce0d26d84adba3

          SHA512

          a478d0014a5c4c1e7ccdbc59a1b2143d056bad1b3e37cc43e0485ba2d2c50b196c1f86c81523a87a991818c59223f7c196d34d9ecd01c7f28b7bd08408eb2bf8

          Download Submit

        • C:\Windows\checkcj_zy.ini
          Filesize

          146B

          MD5

          34403307bf31c3d6f05692fd1d83b5f8

          SHA1

          57cea1ab06f01d6a7f0cd37bca6c37999949e3d8

          SHA256

          1cda6d7707cf0ed3339c229548917beeb97df53a2d5e8db3d2a644b214170f66

          SHA512

          928d1e718052e978816828749efc63509008f787d1f9b79b0bb8124d2dffda63cc85161e474d53e16ac31c47a9e3f384c3847dd00755f9bd448cbbb86c2e3d15

          Download Submit

        • C:\Windows\checkcj_zy.ini
          Filesize

          145B

          MD5

          2f034c950c7e72caa278307442923a54

          SHA1

          04d297a6b570b0055ac84069b393ba67a8f71989

          SHA256

          7fe3666a90f41dcc7e14f384f10a244398eaf38d2f95eb564f8fdc27800a6429

          SHA512

          3689ff66399d3ec0be10e155c000fd4f74c7829ccab9418dbda3987a8a3d387b86ec11651ab3439926c54ed410fd2ed922a6c91027b6424c12dd37254fb15047

          Download Submit

        • C:\jkDe_zy.bat
          Filesize

          147B

          MD5

          70cb65e4a5ae9024a0c8ce1d2709e953

          SHA1

          ce7b616c1864f781a23ed033f351499930f9ed6a

          SHA256

          9aaea7210e8837bc8844662f6a58ef2b88e78c8c6db7f02923f0d3e9ebf672bd

          SHA512

          488e56fd254b5b32ccd259638117b2d647bf7fc67c4223e619cba92cd30dc58263bb42cc5b46c73042682004661a02731776bb5c40fc7cd6323cd3054f55d4ea

          Download Submit

        • C:\jkDe_zy.bat
          Filesize

          233B

          MD5

          2f220849d3c3031cdfb6805d7f65afb2

          SHA1

          3621e25f8dbdd816f5106759332bb8f21d0c221d

          SHA256

          ae0845626b788a6acf787b5fad56ccedf208208c4877c87586b075efb563ce50

          SHA512

          a2966a97cf81dc5a15a3d9a43a81d3ac386671a62792b3e32acaf6f92e9fe0c11997f8e1864493c9d667fdfa15484ac14c20eb286faadcdbe0977d69feb4c269

          Download Submit

        • C:\mycjjk_zy.bat
          Filesize

          55B

          MD5

          8d72eb8e536b29ad247e1a3468ff0fe4

          SHA1

          b0cf9507e902d4ace3ed62a740773246b9891a06

          SHA256

          827d806962280cf3fae6783eca34f4942352506e77b8faa64a782d92a563fba5

          SHA512

          61df264d9d88ab1fcdf78483b2d35c954f79d5c3c40d4ec88c387beecf9eb8e9bb8d8354724fe88bf2124d079de88e5cac68a9580593b133a5b7b21b412580b7

          Download Submit

        • memory/516-16-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/516-22-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/516-37-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download