Overview

overview

7

Static

static

3

3c6809c45d...18.exe

windows7-x64

7

3c6809c45d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c6809c45d0015efbaf6fe7551567ed3_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    3c6809c45d0015efbaf6fe7551567ed3

  • SHA1

    bf5bbb77dc0d1184e6e6ad0ba70a55b7a7b496da

  • SHA256

    ec49f2c2aaafce8bb9cdef73554a7e66d8ae9cb2c408298b885ec172857af33f

  • SHA512

    5e9ebd3ca0a832be535e42687a9230c1589635e54cc83a3880cdaa32957bdca90b4023c8f7bdf57a451a5640a62116686fa179212024dfe16f259487fbbdb6e0

  • SSDEEP

    6144:Ex8Gil+sosZu5yzrdFw/ZcLFASSqoPaNVagoXe4GESQ78nxiL7g:E6RZu52bwznPsIr18X

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c6809c45d0015efbaf6fe7551567ed3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c6809c45d0015efbaf6fe7551567ed3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe" Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe" Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1888
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1068
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:17416 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3156
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:17424 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    264KB

    MD5

    42a8b22a4b79432226f1a57a378fd33c

    SHA1

    e4478393bb766c78348bea427b24593311594c17

    SHA256

    28e1d14c13bb19ffef3946f7d935ebecdd8b9e50456094c0fca12fb3321dd421

    SHA512

    8aafdf6d3ee5ab2a9556100b13d3a719989c4ce94f6afe93fe35aa4209aed9024854b2a94c3bfdb6aa3345c3b7be474a1ee5ef05839ee52465ce0407ef5b3432

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YUS9Q6F\bsvmRggPb[1].js
    Filesize

    33KB

    MD5

    285520bc859a840449187cc43864a1cb

    SHA1

    3d85ac9801d3cc9a3577bc6f6ef3c754d2677dff

    SHA256

    ac8e37a73437f2c13789726ea053c21fcdfd485896aabd6498702064968e34da

    SHA512

    7d99e9b95ed4fdc8a510b3830e7948be99d55edfac91ec71c4c7e534176a25ebe48c1955dc39a950f1a3322ef7d18910048c16492ebb9ff54d517a294602d6a5

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray .exe
    Filesize

    268KB

    MD5

    6219b5445c1db486d99e611882a17e54

    SHA1

    5733e3eea2ae2e3496bd034f08c3899cc7b7a6df

    SHA256

    11517eab3b0bab3637587d7d37f8787efa48bea5f63da02f20ad7ebca786fb78

    SHA512

    400379b6e2bb63054672ffcf5c9cadecdca06c4bd7c3e1ec4ccfd8bce7c1a376e29512721f47ab6768fea3706c80c14badd5624a7691b43e7946ef991a190fc0

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray.exe
    Filesize

    269KB

    MD5

    823b791cfc416a367d9e03a4119bde6e

    SHA1

    f4562a6daf4dc50075d6e83d51b539adac1568fd

    SHA256

    645122f841fd461b8541d7a714f8d66b20ecfbd578a65f7731e5405ab610c6fd

    SHA512

    7992b9771f87009e7f3f4f0d0da30b564274d8056ae06a081e8a802d6d95ef43d2bdc2a0cca3e66b33c3b5865f6d07a6670bce71ddc87bca883645d87f7373e4

    Download Submit

  • memory/2244-0-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download