Overview

overview

7

Static

static

3

eaad4d6b2d...18.exe

windows7-x64

7

eaad4d6b2d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    eaad4d6b2d66f87160215d32100ff63b

  • SHA1

    cfa86fa8d88f447fb7d0e79db9c51091ee3f7ce8

  • SHA256

    a19167c5eb4ac1338105d7597d6c4fc212a0bc5acbe03fee16c99d9449c8b620

  • SHA512

    216d31c397b5640cfcb6eef119b0181bde1546637c5172b8fc6b7f2d1727d0819fc03054cfc2ceac6eee293270cbe50b6cb4a6a8354a76ecca1096e639c52ad5

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhW2:hDXWipuE+K3/SSHgxc2

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eaad4d6b2d66f87160215d32100ff63b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\DEM60F7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM60F7.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Users\Admin\AppData\Local\Temp\DEMB84F.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB84F.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Users\Admin\AppData\Local\Temp\DEMECB.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMECB.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Users\Admin\AppData\Local\Temp\DEM6519.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6519.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3168
            • C:\Users\Admin\AppData\Local\Temp\DEMBC32.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBC32.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3432
              • C:\Users\Admin\AppData\Local\Temp\DEM131C.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM131C.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1540
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
    1⤵
      PID:3684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM131C.exe
      Filesize

      14KB

      MD5

      3bc4ef81448e4270340b6ca760cb4b59

      SHA1

      aeca4a98f8b5eff1b382af5ca6b18ce9aa4e6607

      SHA256

      d2501ab10deaf074d1640e63a2da92115e10d40cfd301651c590751ad0f55f7c

      SHA512

      1dd4206eea8d9c7e41192fd5bebc2cb2dcc06245629401aac504831e2b82256be63c2d00269457bbda1cf676b402c6bc79cbe8bed7b2d7082ae0e5e11d3f3a14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEM60F7.exe
      Filesize

      14KB

      MD5

      fb6c168c6527a6c5ee2a16ff8e7ee739

      SHA1

      ae569af7ebb11517c52beed545feb196b92ad142

      SHA256

      1e455ae2de2438986d2462de2d34b3c409f853449d5e68095a6ca53e573b7bf5

      SHA512

      f028d9851d9ac745905f80b67019a92ee73a231091da4cf4d25075791315672c0f4a190c798a2286de95cec924eed7854ce890e052c81e744dfc9fd1c6f36dec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEM6519.exe
      Filesize

      14KB

      MD5

      b6b0a8835cd22657d5851da219aab829

      SHA1

      0edd9dae27df876c30afe9237558da8b1f692499

      SHA256

      c7363f45c4f1e5291f5fd778f3303e5bcdcaed049a34b1ae0bf3006af2809d06

      SHA512

      3458ea6967df0f78da050b7e513e2576ee33d2c552f86bec59cc25c50c11fb2b5e5921f68c2cd5b1eeb5a237c4aa643cd0774618f710c28e31f30228b6fe5741

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMB84F.exe
      Filesize

      14KB

      MD5

      f5d3d6c46099a1759ac1d1f451de4ac3

      SHA1

      45e50c4d959d4a9f548d34e1e4627de0137e614e

      SHA256

      7c70389b3d6c8aa492ba103a1e99976aead88a2ba531f3646dd74dc223ce8115

      SHA512

      40aef5307a43c17a0aac76b84a8a7c56bfbfb0101511cb6568abef87637d3801a2470d798667967c877178c65b1e781dbe877a829f803b4af4572d4bb5d5f9a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMBC32.exe
      Filesize

      14KB

      MD5

      ba3e262f932b95e0caaa418a8a1cc5bf

      SHA1

      361bd92e728c5626662576ed54b738f2fb242730

      SHA256

      1396a79af3bd9115d8d726befe2947bd69e4f9cca035a5255f2819bb2d33d36d

      SHA512

      446370060c3722a26325b15a01f601bf028b15cd9b578d4a12e57e5cdb881f9e8236c95c5a3dccc9b4a9187e81b22413fe9616c68c01b5c014ee2c5d76abebff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DEMECB.exe
      Filesize

      14KB

      MD5

      c145c0748371de3e6fae6fd1dba03f23

      SHA1

      404318956f679494a770db19749fd2b86a27b5e9

      SHA256

      97388161827853c2d78c19d578ff0e9164d0a4c591a5ef82f0a9ee366efc8b79

      SHA512

      8bfd5d3da9b8ce0f6c4aff20cdade8fc9423927bf71f4b15cfc3d12f03c053bfb07c6dacc98d0e0fae78481223726acb8e0b18b6155cc744bc4570e7c395fc19

      Download Submit