Analysis
-
max time kernel
28s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-10-2024 07:15
General
-
Target
125c3f679ebe7849d37ac96188c674ec_JaffaCakes118.exe
-
Size
344KB
-
MD5
125c3f679ebe7849d37ac96188c674ec
-
SHA1
33b4deb723798c8b236202e18734203a8e0f2d9e
-
SHA256
bf0958b198936315a9588042e8fb4eeb1360f9322b4f19b06b462088dea7c339
-
SHA512
c4371913c073f3d9f9d375b3bf8aa08ea848c351a78a89952dda477c02fa993801504628959faffbd4d2311fd3d469526b7e4adce5c0fe51541cace1edbea14b
-
SSDEEP
6144:DvDci6eqaPzJwCT0znucerL3tjRs2Ufg/4t/S2rBTATZUEUxDuus5As01uudY+o5:jUaPfjRsQ6S2NdX5oe2
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\125c3f679ebe7849d37ac96188c674ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\125c3f679ebe7849d37ac96188c674ec_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\movoz.exe"C:\Users\Admin\movoz.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD585862b1ec91de0d550c99392bcd08d6e
SHA18a4a9b83d38459e34ff3bf6e081a3491ba174cae
SHA25689e76490fad3ec44c42694721f497331b7e04a0f6d1d2c7aaa54378f1a104ee7
SHA512d5a8d36a0c224f56bdbe2a2548e6c671f8270a41bb2aa3661756307bd64972a514df4819856012c57adf67b8c8ff443fda303e41746e9c8ab4ad99f01eddbeae
-
Filesize
344KB
MD5125c3f679ebe7849d37ac96188c674ec
SHA133b4deb723798c8b236202e18734203a8e0f2d9e
SHA256bf0958b198936315a9588042e8fb4eeb1360f9322b4f19b06b462088dea7c339
SHA512c4371913c073f3d9f9d375b3bf8aa08ea848c351a78a89952dda477c02fa993801504628959faffbd4d2311fd3d469526b7e4adce5c0fe51541cace1edbea14b