Overview

overview

5

Static

static

5

eaa4e3b52b...18.exe

windows7-x64

5

eaa4e3b52b...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaa4e3b52b9b0276041c71129a3945c5_JaffaCakes118.exe

  • Size

    615KB

  • MD5

    eaa4e3b52b9b0276041c71129a3945c5

  • SHA1

    d795782c66d8ab6c3fb64dc13cef644c97fb052f

  • SHA256

    60a71b5151faf2646b9f4805e9b77ae69be8ae5f7267f076d2dce0e1e2e769b0

  • SHA512

    ee1c24efcad441f63512abd7cc54e47228a8fc14c86cb187451081f7d996433e1fb578e3bd48a0941a2827bebd85fca1a91241d4bc8193e415070cd3093814be

  • SSDEEP

    6144:aDdSjkAZ3bLuE8LsC7zhBiw6H5RyWufqoN7hsyyL8N6YAI6CI6fUzoyKcSs0uGot:EGZrLr8oCOt4VF14s31LAMs+cjtO+

Score
5/10
discovery

Malware Config

Signatures

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaa4e3b52b9b0276041c71129a3945c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eaa4e3b52b9b0276041c71129a3945c5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\eaa4e3b52b9b0276041c71129a3945c5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\eaa4e3b52b9b0276041c71129a3945c5_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.pppp123456.cn:9999/welcome.php?k=t%2FK9qMCtzqrG67buxuvF1Mbrt%2FK38sbrwK3awLfyxdTA1sCtwK3Iy7fyv%2BzArbbuxuu27sbrv%2BzG67fyxuvH672owNa9qMCtvajA1r2owK29qMCtxuvL48bry%2BPG68vjxuvG68bry%2BPG68Ctvai9qMbrwNa9qMCtxuvArcbry%2BO9qL%2FsxuvArb2ovai9qL2oxuvA1r2osKLG68frxuvA1sbrx%2BvA1sCtwK3G67fyxuvG67buwK3H67fyvai38r2ot%2FLL48bryMvA1rfFwNa3xcCtt%2FLArbfFwNbOqsCttu7ArcXUwK3G67fywNbArbfFt%2FLG68Ctt8XArcCtt%2FK9qMDWzqrArcbrwK23xcCttu7A1rfFwK3Arbfyt%2FLArcirwK3F1MCtzqrArdrAwNa3xbfyy%2BPA1rfFxuu3xb2oyKvArcXUwK3OqsCt2sC9qMXUwK29qMbrtu7G68DWxuuwosbrsKLG67%2Fsxuu9qMbrv%2BzA1sCtt%2FLG68CtvajG67but%2FK38rfysKLA1sCtt%2FLArcCtsKK38sDWxuu27rCit8XArcXUwK2wosbrxdTA1sCtwK3F1Lfyy%2BPG67buxuvL48DWwK238sbrwK23xcCtwK238r2oxuu27g%3D%3D
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17414 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4796
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.cn/?gl
        3⤵
        • Modifies Internet Explorer settings
        PID:2168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 444
        3⤵
        • Program crash
        PID:1596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 448
        3⤵
        • Program crash
        PID:776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
    1⤵
      PID:2336
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4836 -ip 4836
      1⤵
        PID:1688

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        33bac9325241193616461afd5a0deb0c

        SHA1

        e78ed72996568bc9616f4d6b20403749252b4859

        SHA256

        cb0b78d15b774b91ab6f6ef315a14f301b85b40122a72622818753212538f5b7

        SHA512

        3054cbd1551e36a747fc4c7086d3cc484530ea13d44279b4f5f92d462d91d7e3322bb240edeedd517751c00949a6264b50322464e446290726fde18ac4eb2e2e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        2dd1b8335d7e0e3ab4725347fe4a3c1b

        SHA1

        0d9f9143212f17db6cda28ac31250d75c4f974c5

        SHA256

        7fde8f33d7f0022f5bcbf0340be014722e3a670f6f46d8698629d6977e6868fa

        SHA512

        83ff7fae08eb4672dddd72fd7a9af87725a096336c2c23116e1f61eda502163be262e651d8b89df37260a187a3f4d3e62dc2bb40e2c3a8a789e69bc0ef802ffc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFCA0.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/1144-0-0x0000000000400000-0x00000000004AB000-memory.dmp

        Filesize

        684KB

        Download

      • memory/4836-1-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4836-3-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4836-4-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download