Overview

overview

10

Static

static

3

f63dd470b2...18.exe

windows7-x64

10

f63dd470b2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f63dd470b2658cae1772828fd1f5b252_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    f63dd470b2658cae1772828fd1f5b252

  • SHA1

    48a8c6ee5e1d20d141ea10948a2e01366fa65c67

  • SHA256

    ccdb941fb889bb96b74297126bd885defdb1310c22e69dd4404ab78216375577

  • SHA512

    51b20a1ace3db56c227050c347f83ff78e225b1d7175e1c2ca85c7e2ae1573c2fe1cf23f205e6df0026f8c7ae6b34bd3f16efe707f3f0b38ad949587ae4276dd

  • SSDEEP

    1536:RXs9wrnUh4d7ygVpn0uv77P11gqu87hhofg7dB/y:RXYw4+dGgLn0sP11gqPofgRty

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.alizametal.com.tr
  • Port:
    21
  • Username:
    alizametal.com.tr
  • Password:
    hd611

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.yesimcopy.com
  • Port:
    21
  • Username:
    yesimcopy1
  • Password:
    825cyf

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f63dd470b2658cae1772828fd1f5b252_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f63dd470b2658cae1772828fd1f5b252_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Program Files (x86)\43c0207a\jusched.exe
      "C:\Program Files (x86)\43c0207a\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\43c0207a\43c0207a
    Filesize

    17B

    MD5

    6ff89798e0e63d75115c777af43a2cd9

    SHA1

    e8b994ccbbe64951afe91fc3dd377f88fe6c9ba8

    SHA256

    3b3947957c6e0abb19d91b256521bdb3826d88d9b7b53995e177a58cebf0d479

    SHA512

    46557f9bf6f5c5b3316891a9b623a7d11d8d8ff1973ca84cfbcf8d898746f2dbded7fee837c9a70c2e36f9b46a357fe2ba53585bf5307950d2fef6ee1dcb28a3

    Download Submit

  • C:\Program Files (x86)\43c0207a\info_a
    Filesize

    12B

    MD5

    599f593ce65d372c4323de6ce6bf2c53

    SHA1

    3047d05a3295763a07338be7481b594635d8b4c1

    SHA256

    69cd5db26918a6be74f92b4ceda778cc10b4dffab4d70fee3ca0d72f00803400

    SHA512

    473faa1fdd5e3bb6b5d3c84380e68c425f23f2d97a7a74d211f47799431a2f2d994bfc43010837f2a06fa9c2e61da2b7e8806075dd2e19e008873a4900dd407d

    Download Submit

  • C:\Program Files (x86)\43c0207a\jusched.exe
    Filesize

    196KB

    MD5

    bd6822141acf65afdba099e1e401fff6

    SHA1

    1305e6b78f06620e962cebc80299f9761256bda5

    SHA256

    cc08323696df8df833fbe7c2fb4ce9ad5cd3718390e7e1735c846fd3a930d457

    SHA512

    d86124c7af51e0139c2a9fc431355c09bd89e115278eb2b3be5508a17207f063a4feed80b51f36d1e186ea597bc694efe5adcdb9b63bf6793a508cc08df79179

    Download Submit