Overview

overview

7

Static

static

3

44904b504b...18.exe

windows7-x64

7

44904b504b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44904b504bb03c245a0ded8558001825_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    44904b504bb03c245a0ded8558001825

  • SHA1

    b6f58a653105190bbe6a5add16585310e4d6d91d

  • SHA256

    c3e76855c7dea89cb8b78e75ff95a08e1bcf4f8413ee17ea80c1bbe6e53e5265

  • SHA512

    be70291de4f955f376480e293ecbe0635a4067bc0e79e3d85f7150ef40a88ce00dc484a6a4b759bb78580aa0139fdfc807e25c8184f93ebe3b3d8d8cc2ce576d

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/:hDXWipuE+K3/SSHgxM

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44904b504bb03c245a0ded8558001825_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\44904b504bb03c245a0ded8558001825_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\DEMC68C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC68C.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Users\Admin\AppData\Local\Temp\DEM1D37.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM1D37.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Users\Admin\AppData\Local\Temp\DEM73A4.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM73A4.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4120
          • C:\Users\Admin\AppData\Local\Temp\DEMC985.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMC985.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Users\Admin\AppData\Local\Temp\DEM1FC3.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM1FC3.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3528
              • C:\Users\Admin\AppData\Local\Temp\DEM764F.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM764F.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1D37.exe
    Filesize

    14KB

    MD5

    db7cc1d897a2482900120df37d987b13

    SHA1

    a7631428af37b62297fc88aa06345dfbc19a5540

    SHA256

    4b5298618a98c1bbf3c3a5d1e338d1932b8e2454e5ba67044bd7aa80c56e7c36

    SHA512

    0dea0f23f403c2e1fcfa0c0b8ffc2bb0e18870f5c6ba5c327a1bd4c6ec07d93d26b55e68240f2184fe76d0a15d719bff3c37312619556ff95a6c6fb33d9c082c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM1FC3.exe
    Filesize

    14KB

    MD5

    8502dd614bd0c964b038d9610ff21d7e

    SHA1

    d00fd92bddb224e70f3c4852b965bc13ca96fb4c

    SHA256

    2f13dc8ea4d310ee05f1477033c3a7829215098d108c25e8588799d9a47833f1

    SHA512

    14cb511534b6c43b68f1a89770d8e893dadd2d8f09a1dcfecdca1ffe28c4f0169b1592d0442490f1ba2865fb4f98d16b5fd1647ac51cfb3cf3befab714788710

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM73A4.exe
    Filesize

    14KB

    MD5

    0a0231e24e0b2d39a829d02bb6bbf280

    SHA1

    314b6b4c1efa3d7ad25b8aa9b689ef6c1e19b65b

    SHA256

    be64eb95126f27eb14c5d3cd27440f41c2dea99cb79779be4873d19690218bbb

    SHA512

    da6dcc8e91820475270d7aa2712da8d275592849ae94978c30c5879fff1fbe5480e3f63dc757a944ffa1428075369f12f05f65292ccf6a9c36294d958aaac8f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM764F.exe
    Filesize

    14KB

    MD5

    4497387b84d81ed9dbba3d46741ee582

    SHA1

    f1e9549cba4a01b6d0006405838457d9711a95e6

    SHA256

    fd310f0ce527d5d0e17d80928f4757b5fb15a65cb7797ab7b3456c37718e3064

    SHA512

    605913113c31ed59ad20d521992e3069582c09b200e19d67781e091150fa49f22cec5d5feab4b490e7a3c5c90e4b307e43077d58d9db5808e53b1e3c4c03e611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC68C.exe
    Filesize

    14KB

    MD5

    28eef363b396433a78d32df5a5065092

    SHA1

    dffeff45fe00757aa8d38ac993176391ae10589a

    SHA256

    5c097c4cd04c61accf305c9db8cf55a1b07bc4f2c44a3d4dc1f90b0659788915

    SHA512

    2b8d52793592ca64f151fd4ab32143b3bdadb7d4d254cd116a132bf95b06f0f2e175169d3857c272b14de80276f84c9bc38ce2152cff245ac3be1e015e1b6943

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC985.exe
    Filesize

    14KB

    MD5

    8a41b2632410416bb1129b44da2952cb

    SHA1

    313fc52a1b0aad1bde8a986b3403ab3b84a64eda

    SHA256

    8b5302654d1b01d287ca6255629b45f13d2abfe6c1f84cc33b1d678ef25276b7

    SHA512

    85b01fc63e85c894615f1423996f9c56f0036a33413615ec7c143d9338a2191b0132ea82e5f5920fe1c3ff476050441dde42f0b76da0dffb08e50f760c9564ab

    Download Submit