Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 17:34

General

  • Target

    06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe

  • Size

    335KB

  • MD5

    06bf28afb24066ddb543d633e4bc441b

  • SHA1

    dca692fb1b0752a53c9c31bdea7c8e9e004e9d37

  • SHA256

    0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239

  • SHA512

    a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9

  • SSDEEP

    6144:DBj6B6kP/KRvA9HmNR92bIjLxPTYra385tnDzeO+SsZPqXhEWw3g/r3IDhIDsWCx:s6kPIA9mR9jXZkznXL+C7l/fIX6cgD0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3404
  • C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2744
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
      1⤵
        PID:2256

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\HXCVUD.DAT

        Filesize

        13KB

        MD5

        de0c533b3e727cfab6d5f5418c159423

        SHA1

        9bf855b87c43405ff7cba13541d5fe4656a59463

        SHA256

        bd3daf8b7f8de13aec1438e59d50b09af45eeab17cd0eed7424a4c9b3122150b

        SHA512

        c33da4186a46553f1c7621220826f091e204715e58c83bcc93cd3fe2116e974615d2a424cd3d073e8f066b3f9dcfff50fa8bca28b17bb968cb85ced899ae8405

      • C:\Windows\Hacker.com.cn.exe

        Filesize

        335KB

        MD5

        06bf28afb24066ddb543d633e4bc441b

        SHA1

        dca692fb1b0752a53c9c31bdea7c8e9e004e9d37

        SHA256

        0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239

        SHA512

        a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9

      • C:\Windows\MYISDX.DAT

        Filesize

        122KB

        MD5

        69c410f159553e56ab5a3d94784e26c9

        SHA1

        4106505d1666d99c923d94072e8ca80142027b66

        SHA256

        d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

        SHA512

        8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

      • C:\Windows\QPOOUM.DAT

        Filesize

        51KB

        MD5

        d58f992c53515c9f1fb9394a46f4cb48

        SHA1

        1f9909d227b93be10328e0abc64052da984657ba

        SHA256

        50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

        SHA512

        3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

      • C:\Windows\uninstal.bat

        Filesize

        218B

        MD5

        075f7ddc1df7955a4cedd17fb34cbd4b

        SHA1

        178c2e53fc18a8bd56ac8612db8d512dbe1f464a

        SHA256

        fc40a901b8dd4ef3c9a45c4e3396382bd42359e58b992244776d5cc88098d56c

        SHA512

        fce912ea908f23817f7526d5d3e87b9856640dd7db29a3d9d4f6451d173e7ae881477dbc9f34e619b39928deb7764a5efd8f0d880ede9d5fb107983f91cead0c

      • memory/1384-0-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB

      • memory/1384-1-0x00000000022C0000-0x00000000022C1000-memory.dmp

        Filesize

        4KB

      • memory/1384-2-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB

      • memory/1384-3-0x0000000002310000-0x0000000002311000-memory.dmp

        Filesize

        4KB

      • memory/1384-24-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB

      • memory/5024-21-0x00000000017F0000-0x0000000001802000-memory.dmp

        Filesize

        72KB

      • memory/5024-17-0x00000000017B0000-0x00000000017D4000-memory.dmp

        Filesize

        144KB

      • memory/5024-12-0x0000000000D50000-0x0000000000D51000-memory.dmp

        Filesize

        4KB

      • memory/5024-11-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB

      • memory/5024-26-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB

      • memory/5024-27-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

        Filesize

        4KB

      • memory/5024-29-0x00000000017B0000-0x00000000017D4000-memory.dmp

        Filesize

        144KB

      • memory/5024-31-0x0000000000D50000-0x0000000000D51000-memory.dmp

        Filesize

        4KB

      • memory/5024-30-0x00000000017F0000-0x0000000001802000-memory.dmp

        Filesize

        72KB

      • memory/5024-41-0x0000000000400000-0x000000000054A000-memory.dmp

        Filesize

        1.3MB