Overview

overview

10

Static

static

3

0cb9802d25...18.exe

windows7-x64

10

0cb9802d25...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe

  • Size

    501KB

  • MD5

    0cb9802d25363248aa1b64a44bb09cc7

  • SHA1

    94fab7822332e452a2bb493f8651a4cc24ddf644

  • SHA256

    dd77adda6b4f260a9f5ef079e520d58b35abf166b72b63ee5968883b9d7eb440

  • SHA512

    9ad547ae5e23683ccc30d9c35bf6695c60fa0bf4abe4ef19ce96b5ca71f6cb5a3e326c2c1de2cb473af3c1a1b1658adae87ab15d98bc365b2b2b2a6c35aa7618

  • SSDEEP

    12288:rWlfxLwk9hLMUYoura4RE0m77JWymUgG+6GO/:GJ0uhAUYouu4/K7JWymUD+m

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 6 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 36 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Program Files\TTPlayer\TPlayer.exe
      "C:\Program Files\TTPlayer\TPlayer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49AB2.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:216
  • C:\Windows\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\INBGC.reg"
    1⤵
    • Process spawned unexpected child process
    • Modifies system executable filetype association
    • Modifies registry class
    • Runs .reg file with regedit
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\TTPlayer\TPlayer.exe
    Filesize

    18.1MB

    MD5

    ac4d37f613405c385bf7bf35dde962fb

    SHA1

    fd9da121f7d31204ae0599362177240a5fef8f78

    SHA256

    7e15de3029f4a1e7ec471b6586942c13483732c5179eff3d10646cdc16beeb99

    SHA512

    817f8199cf6b8c36234314279457699c61811a6b6fd1668836b3cc5a501628e52666b55e957b4a185a08e2a556edd24a04cfcb7996d5bd9a3bd558ad1465a818

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\49AB2.vbs
    Filesize

    541B

    MD5

    838975c4aa22954a147496c482677667

    SHA1

    f00e7f71f9c920bed98f186fd9ce3e9f93d85415

    SHA256

    08771ca60e5c917b733e132074c9849c93cebed0ee1b33c67f0811648f704fb5

    SHA512

    85117f8abe631612c1af78e34c7c14df2c19158d97c943a5e6ed0a7116fac7f99c9a5f08abfa0ea60463fdfeb620056d178c8d7be76edb13307e449bfcbd94df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INBGC.reg
    Filesize

    1KB

    MD5

    873a0456fbaa689791a316bd95c4fc9e

    SHA1

    b8bbb098fffec911a760a3520823074d46090157

    SHA256

    4ccc1598bea95fa8476a3765e4c94ffc8005dda5ea1e89491344dd691e6a62e4

    SHA512

    1e48d7150b2610ed71be2bab65dddd395e06ae86f328c8f3f30937db2bb41c2516be35389c48e3d2418c20de56ecd9ed61987d8513fa7e0616c241d0b922a9a2

    Download Submit

  • memory/3340-7-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3340-16-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3340-17-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3340-18-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/4456-0-0x0000000002470000-0x0000000002471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4456-6-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download