Overview

overview

8

Static

static

3

ea8ae6be1c...18.exe

windows7-x64

8

ea8ae6be1c...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe

  • Size

    117KB

  • MD5

    ea8ae6be1c3aba0a409539166924e54b

  • SHA1

    5dc53713e4d343a18ab6103a8383d5fb74752cfe

  • SHA256

    9df49e9e2a98fca61c135b1998073458b770c9cca42b2d3f6c91dfd6ab5ccd78

  • SHA512

    aff9ab4581a26a07e1ece6552d743e5d7c0e068c1525569803e7d20e6229593ff3f8276b92aa1a1fcae3f9330c96c92d2244759a8fe5e271cd143a0e6bc488d5

  • SSDEEP

    3072:E991btnhShlotSKxbUp7Zn4PrgaiW6gjfApzohK1Rb:k1bFh86tQp7Z4Pr5ppMFEKP

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\SysWOW64\inf\svchosd.exe
      "C:\Windows\system32\inf\svchosd.exe" C:\Windows\wftadfi16_080814a.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\system\sgcxcxxaspf080814.exe
          "C:\Windows\system\sgcxcxxaspf080814.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4508
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4508 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPQ9CKS7\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\inf\svchosd.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\System\sgcxcxxaspf080814.exe
    Filesize

    117KB

    MD5

    ea8ae6be1c3aba0a409539166924e54b

    SHA1

    5dc53713e4d343a18ab6103a8383d5fb74752cfe

    SHA256

    9df49e9e2a98fca61c135b1998073458b770c9cca42b2d3f6c91dfd6ab5ccd78

    SHA512

    aff9ab4581a26a07e1ece6552d743e5d7c0e068c1525569803e7d20e6229593ff3f8276b92aa1a1fcae3f9330c96c92d2244759a8fe5e271cd143a0e6bc488d5

    Download Submit

  • C:\Windows\dcbdcatys32_080814a.dll
    Filesize

    233KB

    MD5

    c1a4dde8f18b64842981b2905ce2ae38

    SHA1

    44adb92b12222db9d9df84d8438f592cd9fcb804

    SHA256

    00dbe9fe8b3d17edafe847474850dc716b4c52dbb581fbacabadf91febfb1816

    SHA512

    d3501decbeb47f0487fb94ec816dc98d42f98bf332248f6e1010282e3afb1d06eeb1b0d7d6aca45d51c98370a7a9bb6ec0b7e606f0fd15973fdcd68fb816fc93

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    61B

    MD5

    8ea171784e2cc23eb21bf954e4953cbe

    SHA1

    5fc77fce79b47411f77f2dbfc480fcdf1f235c5e

    SHA256

    65e12ba78b34e03df0dc632b95a331e9c8ee5185fe8d8db907c58d0f864b8faa

    SHA512

    61c0c54e0660d24f45f23d8b2a4922942cb301246a3ac3cc00401a31886d1ab38863ecf2b5acfc14f9d0b2f9448bedc07c7e06e86a83bddb89a7ae9a3ccafe80

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    462B

    MD5

    52c959a7fa5c5c611ddaaf0b925115ff

    SHA1

    b4fcf8de4f9d87c8ee5ffb6b289245f02ae482c7

    SHA256

    401cc0d8a4ed0337f357254c9475dd78251abfae7094bbeb0411d30a21a4ccc5

    SHA512

    3e47cf467802acaf0cde8351c894035e3a0a5c60f41d6970fb6a4bb2b0dcf3726e08dbf4df9719ac1c6eabe71b42a83893d35aa73fe01f19823d83c3b22e7388

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    378B

    MD5

    0975bd57bdc54d80e7eba74b267074e8

    SHA1

    2f78d12f0fbb9656c4a7805411ccc9a0858dc55d

    SHA256

    2e6bdd3ad32c1b06711476e1e39f148e498b785e702f734409a497118d76f041

    SHA512

    fe14a9c9e5a169c2acb9f0831317b3bbe5399fd26ad62959ce0ed2010b8fa87576f9aca365bc6c016d9d93d9e8d3465b54760743d1c60c0d94a4b6bc77a2e3a2

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    49B

    MD5

    29ba9f9d07429e35ce77edb971a5f349

    SHA1

    5e76645272cc2fddcdfe3abae2fdd0809dc0f526

    SHA256

    716a3bb87f7cf28f75ef529ec374882e5af6e485ca7d12447e8780af0cbad3fd

    SHA512

    1861bcf94e19a1e3d3a98355b67f78ee4d21b6f06f8f5395f49751dde72d0ad22d578ebe545f29b2945d583d214e964e72ecb9e51d90b6cce263d61b9c52ada3

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    422B

    MD5

    94f8fc62ebd18cdcccf39cb9246b8c39

    SHA1

    d43995b10c76db1dfa3721282e893a8d50bc3e53

    SHA256

    2e61430f35c4a8f8d249830266fa090bc6c34041b36e36f624eab8f392c004ae

    SHA512

    8e00e5d84ae0796289df028dd358d2b1780c639c628fa7006c341611e8de905e23dd1a510f778d7b96cd850303aa87cbf774fd854c164f37ca5e5d4c673f5fa3

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    428B

    MD5

    12fc606070df472fc09565347eef6751

    SHA1

    82c304ef36a3de2766026c407dc102312071cacb

    SHA256

    c04e1ea9ca6991ebeb1a6d4359a0d64dc05d66eeb4468da886eaa35599d41516

    SHA512

    59576d449c3833379229978f40b10a1a517619e09e8da8722be64ce0e1599cfb511874a44da8ec85ad5052f6c9fcbf08e3866bd482de75d195fcb338cef6e7d0

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    461B

    MD5

    3da5f9aaf1eab95334644361520f39bf

    SHA1

    2b77f3fab796289c7a1bf51ea934d3b1e932d264

    SHA256

    4c240ec3c31a1d142fc6130e211ca80cb70e02d2ce4b00230415b4d6cce56f7d

    SHA512

    1dd525ff9865fcf728e36513caa24040e22c64357b848167af3bbee141b6423069d3ee3d735180391aa56d0aa788972a5ca752531d0e50d78fbebcadfdaa36d1

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    488B

    MD5

    c3ab0d6ab94c81496906b69b51f6d26d

    SHA1

    06b9195be8ef8a6910d5181df9bd3a66bf6a13eb

    SHA256

    5bd434d7668ee59226929a6137f46c8a61b35677775cab589fe2a4b5087ad30d

    SHA512

    904a9415cbc393b491e7dfad3ed70a08a3a5e7d7d12178a6024f76a3f3b030a277a5c7d2d3b8a6a21eb08534283d15b3e17c18066ce911bb3ed9a372d9a89087

    Download Submit

  • C:\Windows\wftadfi16_080814a.dll
    Filesize

    35KB

    MD5

    a669aaa5c5d2a814a94b89d0f8e19eb2

    SHA1

    6e225f173425ca4d06d4757e3783c2d3c774fed4

    SHA256

    a372488c2cb56e8075fdc735ebfd3ec723f87056ecdd67054cbac38fb9a200bd

    SHA512

    e083e24da2c135aaaeacc6580d4f8e3dadd28da270ca76078f5e8d6ca83259e6300c878312b4f56e03db6f8d3095a0be3518bc51d446759497d9e6dc0b48b087

    Download Submit

  • \??\c:\mylstecj.bat
    Filesize

    53B

    MD5

    ce39e790da3f5bfbf44403f6aef61bfd

    SHA1

    df0ea3450379350f29dd05f12e1123ce8e39958e

    SHA256

    34a8c1bd7b386f6f53d63423312eb1d92c740a83ae05c699536236ba529560c8

    SHA512

    33f8cb29dd728dbb11f6bed7f71b27520a69cc6254e6ca42708b35877aa15b4473d8e9025e8a3f5a1256418a9bd3906fd085df26a3504cd978975e420fdbe83c

    Download Submit

  • memory/1912-71-0x0000000000560000-0x000000000056F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1912-58-0x0000000000560000-0x000000000056F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1912-91-0x0000000000560000-0x000000000056F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1912-114-0x0000000000560000-0x000000000056F000-memory.dmp

    Filesize

    60KB

    Download