Overview

overview

7

Static

static

3

134bf1602f...18.exe

windows7-x64

7

134bf1602f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 12:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    134bf1602f63fd34dc74895fc21ea24b_JaffaCakes118.exe

  • Size

    79KB

  • MD5

    134bf1602f63fd34dc74895fc21ea24b

  • SHA1

    d9ad772c8e0d4586c50af1eb601f7d20e3ca5119

  • SHA256

    1240e4076d94f1d5cad8f3cd8085355bfa35e1a63eb36fab0c3b56c288074264

  • SHA512

    50c5006708e0fa85947409be7fdadf9fe81cf8071e911d1ddc47af06404798d053eef7b194f8bf45e743d1fb2c2398f81fa2697f8526b705ae5a1aa2920e834b

  • SSDEEP

    1536:97gSQUC54RPg2YWZHiBsh90MdxLfzeu95r2/LcuF9STHa6Lfh/wcF/kPW:5Pg6mshGM/35KTcuF8btJdkPW

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\134bf1602f63fd34dc74895fc21ea24b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\134bf1602f63fd34dc74895fc21ea24b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkjun.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4136
    • C:\Windows\SysWOW64\csrs.exe
      C:\Windows\system32\csrs.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\qbewlaa.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1484
      • C:\Windows\SysWOW64\firewall.exe
        C:\Windows\system32\firewall.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\itdmeftd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3108
        • C:\Windows\SysWOW64\spooIsv.exe
          C:\Windows\system32\spooIsv.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\rttnarjf.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3220
          • C:\Windows\SysWOW64\lssas.exe
            C:\Windows\system32\lssas.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3052

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\qkjun.bat
          Filesize

          241B

          MD5

          126253d464516a55d6d7e8015f707b83

          SHA1

          0cd68f752fa56dd908e2b78be4cd37dcbd546bba

          SHA256

          305bb8eab19208f842cde61c4ac12077d04ac441df992d6087c1cdaa8f1a594d

          SHA512

          e1ffbab579b77a7fda385998cbae2af51f07decb06cec8df9ccb8f69dfe07317c7b5dda015d5f8b6e70a186a42b0ca3a9ce6938ba19da8d2ca9eeba5e97b716e

          Download Submit

        • C:\Windows\SysWOW64\csrs.exe
          Filesize

          79KB

          MD5

          134bf1602f63fd34dc74895fc21ea24b

          SHA1

          d9ad772c8e0d4586c50af1eb601f7d20e3ca5119

          SHA256

          1240e4076d94f1d5cad8f3cd8085355bfa35e1a63eb36fab0c3b56c288074264

          SHA512

          50c5006708e0fa85947409be7fdadf9fe81cf8071e911d1ddc47af06404798d053eef7b194f8bf45e743d1fb2c2398f81fa2697f8526b705ae5a1aa2920e834b

          Download Submit

        • C:\Windows\SysWOW64\itdmeftd.bat
          Filesize

          130B

          MD5

          dea330ee66030196ed9d223e496c8293

          SHA1

          ff679ac311af428fc552ccef7474d317be515843

          SHA256

          3997302e30879c71abaf7107b6481702f577fa2d056f7ff04d35b627f3cb35e8

          SHA512

          bf6d1999918852d1af40bf092362168b222f0951da2ccec626d04e27c211cec0a6860d05318cc0b95162f07c3559b9268a4b63526cf86c5f9959b390cb39777f

          Download Submit

        • C:\Windows\SysWOW64\qbewlaa.bat
          Filesize

          117B

          MD5

          187bbf709f5c6314c17a10ef6a9364e7

          SHA1

          926c95012228158e0ba1c32ca2e08f2b9d1e9656

          SHA256

          f990eb85b8bbde5085ef37277945907ec0a2b6295fafe6828cc3888bb5644715

          SHA512

          96d6c5637ed99e0581bc9043be2af068d63c84c24f30196756652ae9de789df4a74596440109626f49ff6e4ca3be21a6ebecba95bc95effd29fa8f64f9b22aa8

          Download Submit

        • C:\Windows\SysWOW64\rttnarjf.bat
          Filesize

          127B

          MD5

          7da2d0cc834d01a55c852fd3981d147c

          SHA1

          ff6e0bbd3d7fefcb1f0035e310dee21949c4da48

          SHA256

          b838b510e73d4c0157dc07c25abe4401fd69cdb03d94ff429818da82234b0474

          SHA512

          0f3771a1a37a3942d4b08eeb2197ec24082851f6a35f7a32c70935a7a3b4511c7b9ae4a760faeae94c47776af5af6873d76e5be21988f66ca2f1966b4eca15fa

          Download Submit

        • C:\Windows\SysWOW64\wmimgr32.dl_
          Filesize

          18KB

          MD5

          b9ac463174e66012d84c0e3e34473321

          SHA1

          4dcc4207fa5b1df01bbd5b7cba5537a18879d0e3

          SHA256

          9833ae44bfe08f2429debe4997054f87b8a058e28e9fa08f89f55d232131a776

          SHA512

          f50b1c82cddae387a06e7c45f23124eb55daa67a2f865dd7cf893e2dafbabff956cc2f0e4a142b5bde9b953b3f5702ca8cfe670fa64c2b76c2648437c045dcf8

          Download Submit

        • C:\Windows\SysWOW64\wmimgr32.dll
          Filesize

          23KB

          MD5

          9ebb3e4fc0c32524ba4098e214a06150

          SHA1

          41d0964a70edc0875ff9a8091b6911e18684e1ed

          SHA256

          f183002d0c6412dc694b580e0b33194766921415e77f713d46cb29dac6ae196d

          SHA512

          d7338292e03fd374fec772787e7561a6d6e9ca0b108cf4b6e9f79647bf0f64960ec78979e986f8bfa9874d907ecacca81183faacdd350e890c0dab02ca50298a

          Download Submit

        • C:\Windows\system.ini
          Filesize

          276B

          MD5

          fe28296b772aea2b953b585e70fe9178

          SHA1

          b7a546c5e4ef3119324e20409cf029e9d0cb05d3

          SHA256

          529ee9a0a880b418e1593ae2d9f00aaa5ece3ce6a890d8a0c1ae546a3fc496e3

          SHA512

          5a8be9ed1dbda459d46c9ff53c95d7698a98f0d249f8cb3404109618fa3786059b4a56246088d25a64332edf6e80e30bd4ec24b270683e94eae3ae80d5019a62

          Download Submit

        • C:\Windows\system.ini
          Filesize

          244B

          MD5

          794aff9a0eecb95e8fcd6567fb75c136

          SHA1

          34b4a260fa1bef5ce741300eadd97c134d207664

          SHA256

          f58e12e4164f23d1d27f96fb31c01b7676b24f9c31999ac03c3410255b0ac9d8

          SHA512

          d3cdd6c8984c133feb11d4bc0ccabc51c4c8b265cd0c92a41cdc1ae04000e4ba3751d1b40d4dd887f5ed8962ee7a863d7c1785c8697e124ed4d0eead3f4e3aa6

          Download Submit

        • memory/1760-61-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1796-39-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3052-108-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3052-90-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3052-95-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4132-18-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4132-0-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4964-67-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4964-80-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download