Overview

overview

8

Static

static

3

fce11fe00c...18.exe

windows7-x64

8

fce11fe00c...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fce11fe00c541c477e913d62d6660093_JaffaCakes118.exe

  • Size

    111KB

  • MD5

    fce11fe00c541c477e913d62d6660093

  • SHA1

    3bbf8911041e5c704a62b8a0ccba68b12cf9e218

  • SHA256

    5a8c08b46212a6d093e668b8ab1c9865e44271f93721c16d16ef3f5914368b37

  • SHA512

    c457691352610b424ea06970f9c3b0b910084ab27425bbf32d262297b901635947ae0104621c16c28c9b68b11834015dd41942e7c73e9e6f1a6610b21b5b82f6

  • SSDEEP

    3072:P05+R+upctLk8uoslG4tOwGvYRngHRrm40y9Nfw:P05UZpcBZslG4wvYRgHR9ZY

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fce11fe00c541c477e913d62d6660093_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fce11fe00c541c477e913d62d6660093_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\regedit32.exe
        "C:\Windows\system32\regedit32.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\REGEDI~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\server.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    65KB

    MD5

    d8249ea5de8a1e46e2791f3ce50d420e

    SHA1

    f27b150214a15af47a20dea2d5c4f2707c562d85

    SHA256

    5cf2335f75687c1f3e1dc6a325699044b530966fe5209ba13e1a810570619091

    SHA512

    b2d5c6b3be1de60965e1cdade920843d6959bce129c3f314dd058293b113305fb6c1b271c4d30f779b869e9082b81680063be83c48e2f7179d119ab13b08a5eb

    Download Submit

  • C:\Windows\SysWOW64\drivers\beep.sys
    Filesize

    2KB

    MD5

    0e1d8c703b0b083560b95cd93b45c146

    SHA1

    a1cb6b878445a2417ddd35d927255432eb5074e2

    SHA256

    d0130627ab480faff1d9a67856f074c1232c7b19ff25dc951c18bb0afdde482b

    SHA512

    ad0e0dbb4dd7cd9783dda6d91fc2be3d1c8091abdf27f3abb2a0325e1e10de0a452f11090ceb016c303c60b77ad4cf9c52ba74ba72f875f9c3ba565934bdcfde

    Download Submit

  • memory/3012-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3012-12-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download