Overview

overview

7

Static

static

3

de6c93027c...18.exe

windows7-x64

7

de6c93027c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    de6c93027c33413b8e7a1e54eb5b1a4a

  • SHA1

    437ac2d99ff9790880ce7075112841cd8c52cff0

  • SHA256

    3ce20da33f839e3ba6f037b1443e5a3afb62c78cf8d8d6bf6ca7a31202ee5caf

  • SHA512

    c8f66ca5d47b8d6020351d108f65167ccff79f751f6c8f188c8975c4ee644567e9a729c88f80a4cb79bb02bb79e021894339bc4b5cb782f5df4ba6d27d003e12

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5i:hDXWipuE+K3/SSHgxl5i

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de6c93027c33413b8e7a1e54eb5b1a4a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\DEM5DEF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5DEF.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Users\Admin\AppData\Local\Temp\DEMB46B.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB46B.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Users\Admin\AppData\Local\Temp\DEMAA9.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMAA9.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Users\Admin\AppData\Local\Temp\DEM60D8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM60D8.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4372
            • C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:980
              • C:\Users\Admin\AppData\Local\Temp\DEMCF6.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMCF6.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5DEF.exe
    Filesize

    15KB

    MD5

    37b8fab2081026acd1b3d1f3e781059a

    SHA1

    078e89f1499b311092fda930e0e3667f83f08044

    SHA256

    c6504daaeb9404c8762b3c8434269ab3211109d6a7cb96e67478858e79636094

    SHA512

    8fa02a52f26105533295664c56399adc0e9fa4e1098710ac3faa44003ac1571bb0c46674ed0fb49ce5c77b527201058f93a14d78018cbfd004cac802c9f09ad9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM60D8.exe
    Filesize

    15KB

    MD5

    7dad293723f906b32e7cc9efab841954

    SHA1

    c85a946613afedd7d6463fbd1281fad8d25a0881

    SHA256

    83d81e71067e498a8617e2ccfe67b47ca7b572e8c5b10c590036f0f4e42cffc9

    SHA512

    3f15e83d79d215b840ba9f193adbd563167c1c18f09b2d81f6b504f52c125a3bd2218179f781582c0d6c8d820ed17d20d81940579107491a9caa5996c64e402b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMAA9.exe
    Filesize

    15KB

    MD5

    897cd4582c8d61f8c0d8e72f6cb8aab9

    SHA1

    e2a19b39af97cbd8f0fc5aa049c32968737b59bf

    SHA256

    963473c3259b4c5d4b263efc6b3b2b9553abbd19037fb8393c0487a376afb7e0

    SHA512

    858cf4c87f1d1a370ab607340e0edfd0ce886e7a691a71df2de4f34a17402adf4933df786a4e1ff5b7671a2221eb5202aa9b8a7a5fbb611f57bfdffc790d4c0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB46B.exe
    Filesize

    15KB

    MD5

    1943a5e5bd1f44af9682d1b0610377ac

    SHA1

    e697e220edf79627c66a6b7ab0e040a0ffb21eaa

    SHA256

    d31ceacff420cb5105bd0d2e1c9502063904ca63330f597022f85bc02b22ce72

    SHA512

    29cdc30a2b6b2b4d0c90d15ef74cee78bd02ac79b646f363bba8eafecd8d315a2338ee9cc76d496ae66c4d60aeff81ac7d13f795216f43876e61b14d9189fe3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe
    Filesize

    15KB

    MD5

    edf26721dba778e86f9818a7c8dc64e9

    SHA1

    79b0bfc8cabb17dca563d6ecea24f37f859038e9

    SHA256

    81a9336f2be17b68d483677941972129163da7611e32031fd36e7c6a7b063459

    SHA512

    fff439e11d12f494fbcd27a48c4c7622fefc525c6524872a726674d8b508926a0f0245852ba1f95a5109dc3a3b1071e1218056202a18a74ef60fbbb939c20abd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMCF6.exe
    Filesize

    15KB

    MD5

    9e1b19b59e165302a2850098a1853f32

    SHA1

    f3c43da73ca9ef95d066fe3e5b91a9db0ee1c16d

    SHA256

    4548c3a4fd4952487a5c582d45e997732aa15b9b4c099f8c3fd86f831401f2b8

    SHA512

    8587d188828c0dd05b784314f29eae2c09ee8c1d84f09bf67abc3c0d88e83774364abddf1871e08bfb1208ef844c4416d95bacd6e0e0760730d2d2c818b91800

    Download Submit