Overview

overview

7

Static

static

3

436fe296d1...18.exe

windows7-x64

7

436fe296d1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    436fe296d1bf331a1fa353b5314f2592_JaffaCakes118.exe

  • Size

    321KB

  • MD5

    436fe296d1bf331a1fa353b5314f2592

  • SHA1

    e45d1b00d79d65bfc6d4c7d3702f710724f446d6

  • SHA256

    155d3e8d7937b4e08ebce50b85a6db347e08f548c9e312d38aec3105b24c5f71

  • SHA512

    a93f6a8e47093ff28c7a3a9741fb402ea2dab6a9a0cebc81dc2c5b73dd1e53c1dd89bb232fd9217ae2a20dc990add81cd37dd534839c19e9e0b8709fecb1dd8a

  • SSDEEP

    6144:AW8tJDEF8boG0T5pB7G/Vs7MNMdoH3F5JGnJ44VT+kccqUOegz2EefK9JdfGJn5e:ADi88G0Tx8VsYHYn24TqjegyPS9JdunU

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\436fe296d1bf331a1fa353b5314f2592_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\436fe296d1bf331a1fa353b5314f2592_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\pinstaller.exe
      "C:\Windows\system32\pinstaller.exe" SW_SHOWMINIMIZED
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\AppxAppl.exe
        "C:\Windows\system32\AppxAppl.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\SysWOW64\adsmsext.exe
          C:\Windows\SysWOW64\adsmsext.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3912
    • C:\Windows\SysWOW64\ast_5_csl.exe
      "C:\Windows\system32\ast_5_csl.exe" SW_SHOWMINIMIZED
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\wast2.exe
        "C:\Windows\wast2.exe" 2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GLC7908.tmp
    Filesize

    161KB

    MD5

    263e81631fb67194dc968dc3f4bdb4e7

    SHA1

    2998697c503a542d5cf1e25a0d0df18fcd38d66c

    SHA256

    9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

    SHA512

    2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLF7F36.tmp
    Filesize

    10KB

    MD5

    3b2e23d259394c701050486e642d14fa

    SHA1

    4e9661c4ba84400146b80b905f46a0f7ef4d62eb

    SHA256

    166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

    SHA512

    2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLK7928.tmp
    Filesize

    33KB

    MD5

    517419cae37f6c78c80f9b7d0fbb8661

    SHA1

    a9e419f3d9ef589522556e0920c84fe37a548873

    SHA256

    bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

    SHA512

    5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLM7B2D.tmp
    Filesize

    12KB

    MD5

    a8108d3e40849b61fddfacf36e520395

    SHA1

    a03b5ae5bc22e3ce89a7205c7aea8c3339cf8dcd

    SHA256

    84c6507fe457d6a882f643908423a3e42ee1170218d18c53366ae6fbd627ff36

    SHA512

    50b4ede09a34860571fac72f2bdf0877f26f4ce276ebade5c3406fa5ede2dd6b5dd3fae4b74acae022e161d6a59142d0976064f993593ccac5988e1926816062

    Download Submit

  • C:\Windows\SysWOW64\AppxAppl.exe
    Filesize

    160KB

    MD5

    063657b10eeae88af4ea3950937d00ff

    SHA1

    d457c075afdb97016f86200ee1e5d36a2f596c40

    SHA256

    a79931f52f6e7f305eb9b968c68306b49e6232f4517734a18348eefbec91b25f

    SHA512

    c39b21683a9c3d35ef09b95d78bebee9501f54d467500c92de64d069bbb4bdad71b36ca105e7fcff51920a2f58cae33e9a18d2c3ceb07a05ea4732c028c38532

    Download Submit

  • C:\Windows\SysWOW64\Searchx.htm
    Filesize

    208B

    MD5

    5d2800df70ad5c2818ab6a9a384cf189

    SHA1

    c72a54b8bef405e151609cf06032ce11a81417ac

    SHA256

    808c6d7a7a6aca141d2ee3aadca78438705aa8c6b8735918e2f31269d63c1a55

    SHA512

    4092e936783e62755678eba62db461f2917009b60f7f0ca4e6d6f05485d6a2f7a10b4f6dc56bcff1cdbb4fb03bdfdb9635c292471548a67981a53117e562fff8

    Download Submit

  • C:\Windows\SysWOW64\adsmsext.exe
    Filesize

    124KB

    MD5

    4e2674b6dfe30e977611083c3bcec7b3

    SHA1

    814ac07e1413ed6c41beb3a160f750c60fd3cb89

    SHA256

    f17d708de5de854535cb90a4d7650236d3583b3e82d6408032bceaa3398be61a

    SHA512

    e1cf98003468d873349cecf17bbba9d38bb05c4a17584a34610f3d55528084ccb34227b069d4017efd201c4eadfae18718eb097d4b6ef2d7af8b911b57ee8712

    Download Submit

  • C:\Windows\SysWOW64\apds4155.exe
    Filesize

    506B

    MD5

    9fd8d912ea736e44bd5e7f72b1a51c6c

    SHA1

    6f6e504b9499455f6edb768fb67c2f768fa54b73

    SHA256

    1e4afc44746de705a8c39eed8c9c5626ebe571ed2beaa92d0bbdc3e28831cd1e

    SHA512

    82f5689bcc1ad0fa1ee92ed6ccf21779aa103a614a3de21f2a0065d621060ff673c0dd393828cba6e022bc3e3ef620113ce7572dc98a0df2e80555470bd49e62

    Download Submit

  • C:\Windows\SysWOW64\ast_5_csl.exe
    Filesize

    131KB

    MD5

    63f2adc604923a6a9956c8edf24b400f

    SHA1

    9a986743a96edfdfc47472e806190baa4464d9fa

    SHA256

    4c1ae8e241401788286a399b0280c1bfe064e24f4ad3710f7c7fabf440c7e97a

    SHA512

    0d43ff0552e2cf79486282c36aeff06c1d895c58ab55ec5c01f381139dfdae720372ed3a8050f1ad4eee808ceb3944b45d5ac37a639e7d09fe13515930fcf340

    Download Submit

  • C:\Windows\SysWOW64\datastor.dll
    Filesize

    48KB

    MD5

    8ddbb05e7b521587fe3642ce10d05d4a

    SHA1

    cb889c8c08197da9e018f82283c8f22b00f6e9c2

    SHA256

    dd81551b20ec16f409792c62ea49a7e51f0b25a4eadd3df6c69540fff222e3cb

    SHA512

    d48469274313454b3c4cccf6c58a9ecf77164555c871bb374c34c7c1759c54d50731145839ace15a8c80a3f934113cb80dab19ad3cf2c2ee23099b07e4bc5f76

    Download Submit

  • C:\Windows\SysWOW64\iehost34.exe
    Filesize

    160KB

    MD5

    8dcd7553a978da47299465808ba32d14

    SHA1

    9c44c307abcabae210ca287f1b15802248979950

    SHA256

    8fe3ffdae270e77305fa2c7ef1d13077ea696ab75657cacaa43fd12094223a87

    SHA512

    6e21538af7c6980ae36980cf2de2c72128adfff7d9c1612b5ced83125ff9a3473993bc84d1986b0906a64bafff73e8247226c10ac1b75ee4773c21b7ada7200b

    Download Submit

  • C:\Windows\SysWOW64\master12.dll
    Filesize

    506B

    MD5

    87a09567462dc08acc8825ec6855e2be

    SHA1

    55cb6697f532f4c0cf85bacf4ea8f97b6f18d00c

    SHA256

    d1272a18487e9fce61aae55bbac13f09a260bce6f7438bc3fb3a8dfb27501fbd

    SHA512

    898244679a39138a7e5bef3d5c78304bf6e613d5a42dfbf7e573312c1efd008b2e3f49f9f56a48e609b617e2c49a3028f8c4a0db6b61e899b1d0e4ba11cd5b60

    Download Submit

  • C:\Windows\SysWOW64\pinstaller.exe
    Filesize

    44KB

    MD5

    db96325a5409eb06b6f71dd104ca5f0e

    SHA1

    170ca709dc51ac5aec4f8755dbbbcc1a273544b7

    SHA256

    bd95ebb75fc545ac620a8162dd530cb7ae3efd9700b6d8cc52f621a6f5029707

    SHA512

    dfeb7462da5f50ec7444c4bf1a17fa5142611c8c1e350431a6e2e552573fcc36ea1988d9baa7ea84a0282e46453120e9aecae285de3d077e7f80b861bdaf8d45

    Download Submit

  • C:\Windows\SysWOW64\terabyte.exe
    Filesize

    124KB

    MD5

    e9a98c4de6cf6986ab3db0c5ea61d460

    SHA1

    b0d4d7e57c061518015b77d579d03743cf6c7ca6

    SHA256

    ec0a3765e87fa090fb91d18607373ffbe99e3b054c6dc80fda2c2d62f089072a

    SHA512

    87b7c248e0d102d4d0ab70ba07f1c1d78eea54feb4ba938de7f9ad371a5e4b9c18e7af95e6beb03e5ae0d72660bec77ab5f4a861cd8320dbbeda1f20f326e4ed

    Download Submit

  • C:\Windows\SysWOW64\unwise56.exe
    Filesize

    64KB

    MD5

    d5052896c1613fa89608f33a6cd76d29

    SHA1

    d0265307ad475caa8f7bdad9bcb8899baf519090

    SHA256

    597732339998fc1c5860c177b3bc1a26efcd55f95a5d5f8bd5c9bd1e30ed1e6d

    SHA512

    24767147494751a5d33868e3f20eb61cb4659dfe13c1a70a890071f4034b708a4c94fa83b62a8731ff75704f439793b629f640bbcbddbb0a92af4930332d147a

    Download Submit