Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08/10/2024, 22:30
General
-
Target
266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe
-
Size
135KB
-
MD5
266df457680dbb2703b81c68ae19769a
-
SHA1
fc830bbe22a2cc47c4c9dd9519496d4fe9f6ca71
-
SHA256
ca6c591318dbbd36b8c994df6e860ea608e6755c40a23c377fc5f2c6b0719656
-
SHA512
fa3d0ab60d597b6c673fbde149df21498898e52ad9261504d9a7725627bb72f39f2f912cd6fc616238ab1aa191cf98f70f1fda1b5c8bde3bc2c0286de581d95f
-
SSDEEP
3072:fYirQae1xlrVwqNAd8f7IpX+/GDCypO0Fy9:fXQaKxIqNAd8DIpX++uypO0FO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 13 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mmtask0.exe"C:\Users\Admin\AppData\Local\Temp\mmtask0.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
C:\Users\Admin\AppData\Local\Temp\mmtask1.exe"C:\Users\Admin\AppData\Local\Temp\mmtask1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD58c013abdafa94cbe994f89e5cf4f305a
SHA18bf39c61ae43813f8d9a50127f227282415e23cc
SHA2560f5dfbef0841983ba865c5e0b8d145b39d2001152416c800e916dc2d06da5960
SHA512cc7735a34f014dd99ab7a7646b57478b9862d13ff7e97660e2f026793a2f3d9ca65e3ff07fc51d681d848cbf6a3c2bcd6aa9093399125fcdd7010073a7206c2f
-
Filesize
80KB
MD583dc2617f82f6066dace3bafea4c9471
SHA1131aeb2e3b4b38a038ee046337ced57d91e714ce
SHA256bfa542cca1fbadf9ec4b5a268302152b0cc9dededadb3f067001c725207d8821
SHA5123ce9e0f8bc389dbf32caefa5dcf42afbd126cdd380563a7b63d3c11fa06c8a16bfc60046984dcac0d2bd4bdbc4d46d7b8bfcd383db273ac7adb858d7782cd487
-
Filesize
40KB
-
Filesize
40KB