Overview

overview

7

Static

static

3

dfeb1bbdf8...18.exe

windows7-x64

7

dfeb1bbdf8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfeb1bbdf8787ebff7c907322b681a17_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    dfeb1bbdf8787ebff7c907322b681a17

  • SHA1

    71c52297c4c08eea703bb8a54b0ccdc5e65971d6

  • SHA256

    18c45baa598ed983af5c794f5794e5a285c6c888ec0a9f4cf6be3d0533085338

  • SHA512

    999146a9b97c8251c6f9222459e35c5a284bb9c613073b8da62bf6e3b980823fd89d5b0c5a4c76739fff8f933fe649e874799951dd683aad29eb938fd518865a

  • SSDEEP

    24576:YustuOyVBwGH97iQqbFR9A7aCs6TRZdS67jbVHK9L3QoR6RtQeUa0QPappqjn:YUVu5pbV61Z461KhR6RtQDpkT

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfeb1bbdf8787ebff7c907322b681a17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dfeb1bbdf8787ebff7c907322b681a17_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\SvcLog.exe
      "C:\Windows\system32\SvcLog.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3324
    • C:\pec.exe
      "C:\pec.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SvcLog.exe
    Filesize

    535KB

    MD5

    1445a0223695389d0e0bbe98cabac458

    SHA1

    b46231475c5741cb34bd8ede89c767b7507d9ecd

    SHA256

    d9f1b6b2e23b3e92a85ce0916ec76426e92a0066897818e9f08e29724c69c842

    SHA512

    9130ae71e89335343bbb989f4fa0742d00bd758da71c2faff42ef76fc594f83eaf2feeca4d3be270b305ca4142dc2f5f0196d45c7ef9133a0caa7a2da817c2b8

    Download Submit

  • C:\pec.exe
    Filesize

    531KB

    MD5

    53fa41fcabdb8fd7b110c9681b88f627

    SHA1

    b6c0378ab6afab862f5160f70174db1f6ef1b607

    SHA256

    f3f5ce9b699e42f2767d75d01d950b0c79039f9531214423901700e40cf254e4

    SHA512

    802b20f7f50103cc6281ee8f2483cdfbec841bb6e180708be3bdd9ac813b2477bf12a60f37e6ae537535035a9be5d92e702a6e8027b2f574682366d59227a532

    Download Submit

  • memory/2444-0-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-22-0x0000000000400000-0x00000000005D1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3324-21-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3324-25-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3324-26-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download