Overview

overview

7

Static

static

3

ea3cb87308...18.exe

windows7-x64

7

ea3cb87308...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMPLATES/setup.exe

windows7-x64

7

$TEMPLATES/setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 00:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ea3cb873084d15bb616da461122cf5a8_JaffaCakes118.exe

  • Size

    388KB

  • MD5

    ea3cb873084d15bb616da461122cf5a8

  • SHA1

    655504b1aa501b9cef757578d887826c88dc18e9

  • SHA256

    5aebdd15d9d937c587c1445199c1119cb4cc9ba75209156d223cba83daabb6d1

  • SHA512

    ddb997d46d0cd8c93da2bab0e0b4c52f090ab5885bcc6e3a5902d82ce6239bf0878e5c4888e81e4d8d6e5f35952ac6f07952a0d39b682adf6e06f3c9c7128f41

  • SSDEEP

    6144:xQq7zwkx+Gj2ldlTusrV9BWW7UmUZV/v6yTwVABUIwqgIt2ccJ5iYB735dMjSw6:70kfj2ldksVWWKcVoUBiQrAYBTDGb6

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea3cb873084d15bb616da461122cf5a8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea3cb873084d15bb616da461122cf5a8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l43.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l43.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk43.icw"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk43.icw"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4676
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\a.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4900
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4828
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4408

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\EditPlus\kk43.icw
          Filesize

          132B

          MD5

          33ebdde8b51ea0e7f5aa0a83b2265644

          SHA1

          be0c08f1f3c712e7c88eaf1792db3e7b68953c39

          SHA256

          25a237b2976bada35eda640d366a6923cb7d877452a39254028b063eace947fe

          SHA512

          9a457bb35977ec153bda788fb046e2f847b83d1878358eb97e5f0b9a117e482d439599e710c92bf0a7e32af0fb60e8923178e9dd02d83d85da88aa589e0b11ad

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          33bac9325241193616461afd5a0deb0c

          SHA1

          e78ed72996568bc9616f4d6b20403749252b4859

          SHA256

          cb0b78d15b774b91ab6f6ef315a14f301b85b40122a72622818753212538f5b7

          SHA512

          3054cbd1551e36a747fc4c7086d3cc484530ea13d44279b4f5f92d462d91d7e3322bb240edeedd517751c00949a6264b50322464e446290726fde18ac4eb2e2e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          bdd3a5d7149afe72a384cab81cf8a3e2

          SHA1

          ab29a206b137ec398dc843910ab8b5338ccd1467

          SHA256

          e8e9d17991570b41f27474af46fbea8cb7a99aee837856b7f8776e1f87c00429

          SHA512

          b1055de35d76b5476fca7c95906f993168feb2719642a9308916abd5515b8f6ed0fb848dd4964f11f795fde8e9442bed8e3c48143ed3ea1725dab628d60640a0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver47C2.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsxCD24.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsyCDC1.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          acc2b699edfea5bf5aae45aba3a41e96

          SHA1

          d2accf4d494e43ceb2cff69abe4dd17147d29cc2

          SHA256

          168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

          SHA512

          e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\a.bat
          Filesize

          56B

          MD5

          b850cad2b7b0f2868b92aa8164c5f765

          SHA1

          62e671e7fd9ccc004d53621b6b378acaa52295ea

          SHA256

          28d14987e59854e2ec2fc46a05a05748f50f9db89cf180046e45a4874ac8db56

          SHA512

          a5e6e954f7952717e859bd9e62cc0c52efa8052943e8db2f4cb3640e3e31f5f6d70f310a1176bfadfb84be9a0c94c919b12bb49a65f7c8a9018df238a4db2b61

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
          Filesize

          44KB

          MD5

          7c30927884213f4fe91bbe90b591b762

          SHA1

          65693828963f6b6a5cbea4c9e595e06f85490f6f

          SHA256

          9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

          SHA512

          8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk43.icw
          Filesize

          840B

          MD5

          fdf007061fa11ce3ffd8cf8f8ba0f818

          SHA1

          a9746be7e1c744059f62bc7088552b36bdc0dd3e

          SHA256

          fab27fd077a7db2b49a37465d0908241727e7cb230348ed8e0da9432dd6096d6

          SHA512

          952a519b54b0f1dd0f6e3f1ef115b2923ee2356ed7ed80efd8abe55a300f40fdb68d3eafe918aa62fbea376bc4cac845df771a6393f590d0be444051ff65a476

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\setup04316.txt
          Filesize

          346KB

          MD5

          552a4c8813767bbfc8f4ea544e56f6ac

          SHA1

          343c95818d698d5ca80e0c962bf770221909f312

          SHA256

          91d668957f7d4e345b899b11f82a76a7928364cc1be99a7f9b67808e8a2e1c1e

          SHA512

          e194aea5bfc0642aa737064070612f6597586e3ca7c9b9701e5c730ee17c7b0c37500c78513a267e182b0d9ac0bf15374aa27ac4fea74515877796d8980c7072

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
          Filesize

          80KB

          MD5

          b485de47dfa038e4fc1b6f1782d07ad0

          SHA1

          67b68902d56bb7cf1d3292bf152f85572fc53786

          SHA256

          74ea2288ae1fad84f215ab40b0b9fbc0ae50996fe751fa5d615ae8586d1f4121

          SHA512

          5558228f6fb0f92eba5035d4ea75e722c227566a4d71a523c517628d1cf4b0e2cfea94495cb09423b21276e0ef568545a3eb628daa7f94a258a8659ed5d6cdd7

          Download Submit