Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 10:38

General

  • Target

    fa4092046c87ccbe8b8dcf67dd006b6a_JaffaCakes118.exe

  • Size

    248KB

  • MD5

    fa4092046c87ccbe8b8dcf67dd006b6a

  • SHA1

    25263a5f5acd63a0ddb8c3b54f6b8bdbcf1e6439

  • SHA256

    a8cca8cf2fb062e97ae8fcbb73669e1cf4b89d2f070b262617eab5a69971afa3

  • SHA512

    394cc91dbe6f684d82df5ea2dc3a86418cf8ac27820e6135c5da5598251f3d5bb2cd29ab610596c99291be826e6570ea65a7d9b5e4ff6297d4bfd7e4477dd195

  • SSDEEP

    6144:m2M5CElofkFWQPtnRneqAKnvmb7/D269fgwMty0e6ndv0DyVr:mt5CLkFfnRnWKnvmb7/D26qndv0D+

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa4092046c87ccbe8b8dcf67dd006b6a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa4092046c87ccbe8b8dcf67dd006b6a_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\pskuug.exe
      "C:\Users\Admin\pskuug.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\pskuug.exe

    Filesize

    248KB

    MD5

    e88f683838ab3b4ea08a061f77aee607

    SHA1

    214eb0019ff77111cf4cd55dd59c0baba2371ff2

    SHA256

    0152e0caa76d815406916bfeec5dbdd7cc9ac9844764d12400f9fe84dbe372fe

    SHA512

    b48c969d44e9b0c7937bcdc37b01c0530996551c41615801ffed6826a4caf125397642041aea865f6c94148cd0070d5b1e4457fb87704fee6e016a5473a52308