Overview

overview

7

Static

static

1

ea10af19bc...18.exe

windows7-x64

7

ea10af19bc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea10af19bcfc45e4054a8583a9cfb4d2_JaffaCakes118.exe

  • Size

    45.1MB

  • MD5

    ea10af19bcfc45e4054a8583a9cfb4d2

  • SHA1

    93c5151b0aea4c18034e235b44e69602342b6d23

  • SHA256

    20779d3a0954a00965e2c969406ff3596d6b60ea6d04be4ced377ffa5e7b22ac

  • SHA512

    69ef2806a2e55aa15f1f0c7dc7609167c0479f54a9a9e5377fa3d35e6fe1f066b1e45a719c6f9c4e8753a91b11da8f2c30acffa0a5365fde35222412e1c24f5b

  • SSDEEP

    786432:Dzu5xn34JpxDBD5FGx9WGtVdj4H0pBXE1ByI3gdjorY/Hn95L2OIBT9AS:+z32xDBD5gx8GZnAByW6Hje

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea10af19bcfc45e4054a8583a9cfb4d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea10af19bcfc45e4054a8583a9cfb4d2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS1F7E4FF9D2E542589AE1E16E6CB3252A_4_17_6_4336.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\ea10af19bcfc45e4054a8583a9cfb4d2_JaffaCakes118.exe"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1116
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7730523A3A7D43A14EBE3318B20368F8 C
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS1F7E4FF9D2E542589AE1E16E6CB3252A_4_17_6_4336.MSI
    Filesize

    44.3MB

    MD5

    691ccff02b1df29094dc4aaabcfd59ea

    SHA1

    20a4946a1800692fd777d6392452ca5e2d89b1f5

    SHA256

    59f22b3b74fb02c319284a50f3b45d7f5aa285feecf3e4c084a8b8d15b82c936

    SHA512

    074d2c0934818c9562bb6e0df5403fb9e3edb5bbf71cbfa9dcb766d9130e9e9b123e022ee6a85447b14736fa1c4095020e3d94f2681a15912656b38ee7f6b225

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIA44E.tmp
    Filesize

    65KB

    MD5

    b02eeaca3a0950659793dd40e1ca44ec

    SHA1

    d607b42701cea0504afd3e172dfb9df732e67ba0

    SHA256

    4cad23ae1201f4311d73b08d72dedca157c8dd587ed1d44be96b9c5149e494da

    SHA512

    f744aefa8b567cce3bc13994f71434b75d299714c8fc6a157b17e364d0c6c771ed5a1dd3646a715303d3f519a5c76c53ac37a1714a04ff74d94c364efed399a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIA4DC.tmp
    Filesize

    238KB

    MD5

    792953a279efde80e70561e5fa2fe5d2

    SHA1

    c91b6612145f96cc3fd1c7b12736427d4ea7df00

    SHA256

    bb67895f98f5dedd9090ec8f5476b998e353b8ed444c225dfd6fc06e6939cb89

    SHA512

    9fad635f819aad740bb6b72e5e2c293ffe217e3e54ca43c864139e3e83d272dfffbf8ebe9fa02ee00e690a04aa6728180ae89e15a599aa3f310a53bb1c34e149

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIA4FC.tmp
    Filesize

    13KB

    MD5

    b5dee73421d4c156143371161173bc3f

    SHA1

    835fd4e746515485ac6baad4273c587d13e24ccd

    SHA256

    d3be2427ca4d43d08c8a8f7575c2b0748092e52f4a976f894746f962ca977841

    SHA512

    4888d5dcba735cdf9a4e041af99f443c082f96d9a7ac5f8d45be1a547b654459e35fbb75c117b4c0019f6bc42874653e9594bb1c4191986b0de5b1658a55cfaa

    Download Submit

  • C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP\WiseCustomCalla32.dll
    Filesize

    172KB

    MD5

    6256cd1a5ade17263eb0aa0758e576a4

    SHA1

    c2b0be38589d87dd5f298df3a503d2482bf83752

    SHA256

    3dc8037115ba3a280b291d62f6c722d6c881d462908bef338920371938d5eb4f

    SHA512

    947f29ea9e9f64bc2b3c6b8ccd26ac248ad5febef57ebbae0d59b8764e9c155112e0debc6dc0f95dbedf6ff8e4e75b9caf5c5268c56f21db77a528a8d27deeba

    Download Submit