Overview

overview

7

Static

static

3

084a98df25...18.exe

windows7-x64

7

084a98df25...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe

  • Size

    43KB

  • MD5

    084a98df2578014a6a438bbebf073f3d

  • SHA1

    1568f2273314c2323862beda1974c8bf92e5ba30

  • SHA256

    ee006269107ab065dc4a1faaa0385aee3ad742c1d9559e0903d5daf54a2c40ae

  • SHA512

    2765cf94dc047312abb14ba6e273d4276254daf8442090d5816c419ea18a68de55f18b944f527b69f3b68b6161d6e61a4a8db295816a0bd7180d216c16f306c6

  • SSDEEP

    768:nAKiuDaSA1BlLHM+mA37Wl4VBimP0hntn7b0nAy/Q+up/f8qkTlVaxLfFi:nAKiuSvLPBPYt73y/Wp38TbkE

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gosDE4A.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2252
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    3581a0e6b4a2481b0d17c98cea4c6ba1

    SHA1

    f55e51abdb6324ae363802235297914a053947ec

    SHA256

    a904ea3ed03f1568aaea366c859b6f0610d0e47ccd5725c20132d3c10e11188d

    SHA512

    f9ea3d2712ca7ebb9c5826de7a89c59c7b2a50759baa83cf04fce4234d59e94d251560ab9e3bb845715ce54bc65187297eac9f73ad93adf034bca591cab3ab24

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    57684587f1bdbf65b2b27f399f79c8b7

    SHA1

    5300a28141004cc54bf231eb881a551dcb03b69a

    SHA256

    c31fb49cc18fb9897cd1f55f69470c6ad3b0607d87e8b0f7983dcd1e0f0d284c

    SHA512

    d35a7577192b7c0ef420dd91c39a67e23da0913362810510c0b0e8f2f8e7dbe9d3ecadb642c775a3e0dcd083e3a497e7009b014f74c5e37dc6cdff0c016c3a0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6136.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.bat
    Filesize

    305B

    MD5

    2278cd220b3acc71db8263ec3ae034e5

    SHA1

    e60b8d27e9886f3ee25aeff133f236af2ccbdec9

    SHA256

    cdb19800d9b5962b5177c6bece36f6134775a404b22877fbc4784e4e46341f5e

    SHA512

    d3fc9252237396dff32b9486a2aa7f88dfdd3b631861d79497ce6523acd6b332a5f51d847e59c37dd3da5e89bd6062398a8af462adde0063cfd3f6a4293a88a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gosDE4A.bat
    Filesize

    188B

    MD5

    4dca1e4277b0939250634b09f6f562f5

    SHA1

    4470961cc504c1d11820d2ae240ebf30b71f4adf

    SHA256

    cb96c3c12b078e7730d72b6234201807246c9f1b8cbdf067c090ff031cd24384

    SHA512

    911a3c4b97fce47d0fd86c1ed3912338f90aa6dd757a7b98d6a80bcb966615adec6b6799cff1abbb5b81875cc055b60490f63c146a555f07ba2e11aeff876214

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gosDE4A.tmp
    Filesize

    32KB

    MD5

    433113cbc3c0b48f3142d7455d0e6901

    SHA1

    958e21b8b68f49f017f95596eabc269089ea1c56

    SHA256

    e3576effc96547514134b0c8b36fd3ff33bff2cfc518955d0f0cf0a0ccccc2d2

    SHA512

    eb2bfa9be9776d9d3f605af77e35ba33df7682f9d7f55e2b937ed15afb22819a822a4ed17c57dc3e818b0551338624f2e660e0500c4d640d675c4b83940df5aa

    Download Submit