Analysis

  • max time kernel
    15s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 00:42

General

  • Target

    03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

  • Size

    298KB

  • MD5

    03ca8f4558571b27bef876d0005663bd

  • SHA1

    08e6dbadc0e38517565127514f66a6d5794bb88d

  • SHA256

    3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22

  • SHA512

    4391181cc2ca0acf4c94d076d614f1c2a770706c710ede7e355bcdd7e07bfc41ad8ae47eb909a2d5ce21bb3698f4bc728413eb3650f79abee7bb25fae4c29716

  • SSDEEP

    6144:CzSY0RcrnbIFMzEOjh64JDZs6z7/WKtuujadWphpVsznR1bYhmbM:uKcrnbIA7dTYKsujaqpkRChmbM

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun7.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2520
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun49.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2152
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1764
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun44.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1820
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun41.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1988
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun89.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1672
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\Launch Internet Explorer Browser.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun39.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1632
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\Launch Internet Explorer Browser.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun36.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:900
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

    Filesize

    787KB

    MD5

    c8a8321292a459b0a17fb39a782a5c74

    SHA1

    ef08e68af5b52c468a905a016ddbfb7c5b0a62e6

    SHA256

    a214e3b654bcb6e6142e101b0e89081d44a3a634afa94dc0a620467335b7beb2

    SHA512

    e43131e59ad638445d041753b3711a261134b7a557c10a462ed26c8db72c90814e561013b8b57fc64be5f9339eba875e14f48af54f0218735e6733227c264553

  • C:\Users\Admin\AppData\Local\Temp\srun36.bat

    Filesize

    191B

    MD5

    93cafd5778071dcaa715932e5e4f4ee7

    SHA1

    d300ea5935d62e297e2fb9c85cbb8897332c5263

    SHA256

    1c7a8faf859640a5ff60af52ab0c12e30dea80ccfd5b761b10616969db152d1a

    SHA512

    c174cd6dc93f3b948674994bcce771a5ff6bc63560a1e5062464c6cfc6d438391fd8bba34f0460f7897429c8a7d19fc30b6b622c7c2d441f6717211aa9711330

  • C:\Users\Admin\AppData\Local\Temp\srun39.bat

    Filesize

    195B

    MD5

    f5c6f5d14ccb17462df18efee7561a95

    SHA1

    60b6ae76d258f3df02cd7d73053f5c19d40ec0a6

    SHA256

    df5debad9283c7e914b88e26aa81d16cf57e8fd7550319a499bcc6460e68befd

    SHA512

    3fcbacdc2fd29a2410abb377dc9a81f6f89656d22cb4861dc338132d609b7ed5e5e126a5a2870c829b78f5acc01b66a1e4de627bf11974616548a45052166b93

  • C:\Users\Admin\AppData\Local\Temp\srun41.bat

    Filesize

    130B

    MD5

    d2974718dedfba615bcccbedbcdca3ea

    SHA1

    d2edecfa8c6f09be11bc1dd702e9ace63cc3cfda

    SHA256

    59498b25dca2e0162f34d6d00c842d85be117a3619f7f435e6790844b9616d47

    SHA512

    695752d8cf03a06bc9fb45de168e84d81b801a65215c0b14bfbcc35e5eb8cf26da3da6ca93deff9e2a3f3e36b66eeb1926941610d4808c5f1d10a8bbbd656033

  • C:\Users\Admin\AppData\Local\Temp\srun44.bat

    Filesize

    130B

    MD5

    49cd0b7d8dcbc470c63ec92f1f3acfc5

    SHA1

    ddf1ef8746b5e868df2ba783c16ae4b041b6989b

    SHA256

    11ed30db9de31ee899c81db4bd9e55d96577884e2f92c6688ac0d7f8a53e592a

    SHA512

    54f09793749aeefff03cb82045d379dc6c098e4059ba30d5d2f84d72411e989efe4322719db55de20bbae51206252961bc4128496225b2dbe799cf138be6b162

  • C:\Users\Admin\AppData\Local\Temp\srun49.bat

    Filesize

    142B

    MD5

    f996bfa141e4e8db400015f6e33672a5

    SHA1

    e3a4e748fa1e87499c4e603acb1ff5dacf9b8ea3

    SHA256

    7ab1c4ef5d907cc2c13124dbf4f4c32f8f47ed04326a60c62114b23a3b393415

    SHA512

    21367d5a6dcc3d734160d44fa24eb416fb0d95c633ffc2088f04c33f1759f538b83617098d21dfe291569048d29a733ae4a91789692111989968c89fd31d9329

  • C:\Users\Admin\AppData\Local\Temp\srun7.bat

    Filesize

    129B

    MD5

    82cdba7e18488f0c4fada43ef4656afb

    SHA1

    2442579c715d4b39a73c7f07bc5d1bd4a823c37c

    SHA256

    9807a9a32763631a7f21d40746c065f92bb0c2cc4ce00b7e415133de2861acef

    SHA512

    ac18889897437ef7d0b02bb94066ea0a917cb256313b52e86b5e375693297d150c3fa04f721701961a1c3d0b447c58b8e377c6b94b1e6ab6a26378247e07b0e0

  • C:\Users\Admin\AppData\Local\Temp\srun89.bat

    Filesize

    195B

    MD5

    101ecbf2a18240cd0c44500d88ddcd94

    SHA1

    72223a8edc37c912a376c172ac687db89a761d63

    SHA256

    41930096a9dbbcf1123a6d261d218ea6a4abdcffa1f57dba0ab3bf71dedea7dd

    SHA512

    72c966f53f33fd15a41444d4d6a6a577a6825143ee803cad96d96c1c72dc6d722a335bde50fb61c544244d3a231e3f9a52bf440ab51ae58ba040bbc4150557e7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

    Filesize

    1KB

    MD5

    5dbd63cbc40b2ea01c3c0494f5ba7457

    SHA1

    24b93c7e55e1643b309d6641fff4e2ff9e244429

    SHA256

    38b7d18a52d5a264b2073ba3e9cdff4fa3cf38ee36b53dcd131f81f5b412584b

    SHA512

    b925e638b06f698fe798052a79027b328d1ab77b848a2c59beeeba33409962b0e311ee5b466bed2f35d2857944c8fc5fc316317f1856a75442424e4af5e1d741

  • C:\Users\Admin\Desktop\Internet Explorer.lnk

    Filesize

    1KB

    MD5

    a6e56d0cb56fb67161c56f4803e7440c

    SHA1

    f5545a25e028e0b699878c3c6be8f20a5e82ada4

    SHA256

    84bc8babad3e65550d4c12b45b7125e3cdf1759a0d13bd7719f68cd91c5f9128

    SHA512

    4a8b4e6cc6e901d1c60c6cf7e2693aaeeb6e5c4fd6800199c227aa95f83d16627e44f5b09ed55c9f7f3966bdc05ac0ed8f9a96089f284e4139228cf96e33402a

  • C:\Windows\SysWOW64\Pnkx.exe

    Filesize

    298KB

    MD5

    6c13b03b53eb6ca8455c84779f6ce8bf

    SHA1

    074004075af6ad6447af2f14a58ed8917106fe46

    SHA256

    7b999b3f9910782941969cd5200839d65887f49d0c8606f07ce372b3519c1184

    SHA512

    6bfda5627a3e1c15a6cd49f2e92812b49895317318cd7262d7a863fffcb41fd268a8c27826dd1d97be74f8c79cd0aee8d0b81d805a5d662d58d6ea374d575dc7

  • memory/3060-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/3060-2-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/3060-1-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/3060-87-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB