Overview

overview

7

Static

static

3

f5fecf633e...18.exe

windows7-x64

7

f5fecf633e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    f5fecf633e0665c42ec68086a16f43c7

  • SHA1

    f56bc51a58713533362927794161a26049c2421e

  • SHA256

    faabb97dd7db86cb73f71f0f7e5bfba6cf9133c928bb0d21c14b6c89ae3acbdc

  • SHA512

    2f4925e76b1f0ab51ed701bf77aa82a3f297f6ac2e46f3918203b5a9e28a6a8cec5a301fc16977d334d4d3a0e144dbb81b75c9f49426e4ecc6a0bc73827c01ba

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ3:hDXWipuE+K3/SSHgx33

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\DEMC014.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC014.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Users\Admin\AppData\Local\Temp\DEM16EE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM16EE.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\AppData\Local\Temp\DEM6D2C.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM6D2C.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3472
          • C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Users\Admin\AppData\Local\Temp\DEM195A.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM195A.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4572
              • C:\Users\Admin\AppData\Local\Temp\DEM6FD7.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6FD7.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM16EE.exe
    Filesize

    14KB

    MD5

    ec9bc58576ad698e4e5f98228afc54a8

    SHA1

    7256f8ba39c479285afa63df2c81719d13cc7a91

    SHA256

    1a6cc5c636a34eb2b0ff4d565e406be5e92377507607a059756283b2417458a2

    SHA512

    821390afe83b6fc876a4409a7776fd84577743d24d762ab2878ee12ef2e630fd0501b44896667c2920d31fe7cfc426b11b13bc44adb721be6d6a0464365a7462

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM195A.exe
    Filesize

    14KB

    MD5

    1f476d8cf393906eb52165fd41a95e0d

    SHA1

    f8cc2e9e6a8a5427bbe9ef7964c249eeab9291c5

    SHA256

    5dd125800a3bee73f7acfaeda4fd078d688fc1436b7ad43bc9bbf4b419efc557

    SHA512

    4122268763829380998fbec56daa5259041f4316108e653c4add938866105fc191fc647ae0d78472504c0b729c641da28c2580a57de2c3a685f5a04ca787e418

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6D2C.exe
    Filesize

    14KB

    MD5

    7a2278aeb5b65cc92ef0df831f7a6608

    SHA1

    92874fcad4a204d87194201bad70d345554fbae8

    SHA256

    98f61136170c2fec16943e22674ff89f6227cda49840cb28903350fb199e991e

    SHA512

    84cc5321a2ecceab24067dfa44c3023b69ae4d26582d52fcbf2ef086b813d97635b8cff0cefac5a455dae4bbae8c877f32f510b8bc1b3266dbf77f4b5b63e264

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6FD7.exe
    Filesize

    14KB

    MD5

    dc523ebd0668e49b6d56537a605f210c

    SHA1

    2e6fdc4aa088d90bb891232ca2198d38f015f3c1

    SHA256

    b6d589e9aacfc94dad8c8e99adee10b68540c8b12390af82d4fa233812f07cad

    SHA512

    4bd8b2cc56216cdaebbd3b3ff2a4f4d873e0a8e4770531a4fe325c90b46abcf21d967b51d63c00bef3ebb02e407d792a13594292147a56e163df8a184e8b8083

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC014.exe
    Filesize

    14KB

    MD5

    64f9946400b1dd562a711bafcf61d895

    SHA1

    f10f13f7ead5255e11abedbb6143fb425791ef19

    SHA256

    0fc7d9cf38392703f912552dedc340fd6f346a5a2767673b41f131c93c56a635

    SHA512

    e4214ed9fabb31943b8aa19315db62594c4e3dca3826ea471340ea8eaf6aa72b534ad20d2a8e589cf2606053172e7069a023c0c1df62ec905b6c75ed33e2635f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe
    Filesize

    14KB

    MD5

    fc63cb9a21d4f4ba65d8e458a7926be4

    SHA1

    068c710f4c842fc41fe8889c7d4151d11414259e

    SHA256

    37c1c14640f9aed29d8cf331843c75854d697933127257db28ae43b73750b343

    SHA512

    f60ce8bf1f37f50f25601671a326eb7e10bb57d05e2775f2cf4bb3d30a74bcd9164d7d549b78b7db4645f4a3c4f9627b39e6310a7fcc7cc93f38dbb28c82b310

    Download Submit