Analysis

  • max time kernel
    141s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 09:42

General

  • Target

    5197601d3263fce60649415662ad878e_JaffaCakes118.exe

  • Size

    521KB

  • MD5

    5197601d3263fce60649415662ad878e

  • SHA1

    d0ed76a028aac5c25ef35e794a5f46722ed7d9d5

  • SHA256

    1ecac9baae9daf7c7766ff7683570166d3be1031542475546c4db44e850dcafa

  • SHA512

    b3edb5135de6e1321e780cf878801e362134852b2d22ad3ef087e14a20dccd1bf55c1c9ee2cdb6266f70d4ee430d9c14764e778c03209a501b4cbea6fdbb6a68

  • SSDEEP

    12288:ibemqOid95Fl3kg7RVq8Nik6Kf6eeUgJi3HnzdeKnPkxgLOOk:ibRUdD3zXH6JeRgJi3nx5bLbk

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Roaming\DivX_Installer.exe
      "C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 492
        3⤵
        • Program crash
        PID:1780
    • C:\Users\Admin\AppData\Local\Temp\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:976
    • C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe
      "C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DIVX_C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1400
    • C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe
      "C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",Startup
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",iep
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3056
    • C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:5116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 468
        3⤵
        • Program crash
        PID:2400
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ping -n 1 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 localhost
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868
    1⤵
      PID:4612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5116 -ip 5116
      1⤵
        PID:3280

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7za.exe

              Filesize

              523KB

              MD5

              e92604e043f51c604b6d1ac3bcd3a202

              SHA1

              4154dda4a1e2a5ed14303dc3d36f448953ff6d33

              SHA256

              fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

              SHA512

              ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

            • C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe

              Filesize

              26KB

              MD5

              b65d387db7875a1f5ac8aa5932b8af08

              SHA1

              b60a08b5e573fc8fa211379471b01883e9b5fffa

              SHA256

              640eceb1326fcf1f955436a99721893cda6fbc50ae782fa02727ad48c28c60ee

              SHA512

              c5b9ae09c5a0684dbe9bf863a6eda7d08e27890c1d61e97cf82a4ee431dff111a58499ca9d899adb49e79697273a3fecd3c81a4c229ea9c435593c711b0a014e

            • C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe

              Filesize

              92KB

              MD5

              7b6bd526430c3987be1f44245aa3ec38

              SHA1

              e271078a59640b765fba87227f7b4401e5d6b35f

              SHA256

              7128ddfa3e765a80f592205bf300d7a3168e22acf64d4efbe7c694aca3a5e95a

              SHA512

              afd50c61bf32bd6a09c9aefdbb5e16d6a5a11c541c9b013691cc97605f3072ad1ab101754cab3f8694d143db86b428a96048f5d21c707f9ae4783c218c87d9fc

            • C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe

              Filesize

              75KB

              MD5

              94fb3b4a47c149ef0ae646c379697c63

              SHA1

              115e466d3066b1f223acd9ec3abba24f9b40db64

              SHA256

              212dde65e0b60c4518e0aa90dd3c2a7267e75b3227f550b3d56233fe500c3832

              SHA512

              8f7df0814f6e8280efd34516171c1c293cfff6adf6f581ea0061645e8ef28cdd645c6452274d5902140ef06763bdadd0a1a2139fbc91f82f041e54a6baa6ac78

            • C:\Users\Admin\AppData\Local\Temp\a1.7z

              Filesize

              135KB

              MD5

              0efc8c3587e3a4c9e5296628942445e4

              SHA1

              07f84a00303ca1c0611146c979489056159db29a

              SHA256

              94edff236294e85cba575e3983b9be804d52265ba895b6b785f151c123749572

              SHA512

              04a19f9d3dd0b33050dcf984c776ab490001686f094277c7c15834e0ecf0af3073bca4e8f626d8a39292631970013f818ce38c5880dfad287cbdd0d2ba165f9b

            • C:\Users\Admin\AppData\Local\Temp\b.vbs

              Filesize

              415B

              MD5

              1a575dbe09ffd4493104d127c80a0db7

              SHA1

              004f702b4e4aea196a94ce50d440e4a9f3055b76

              SHA256

              aac4342578fb155c7531e981e33a1e423b8ed7e2abb979a0b8a0711e5413648c

              SHA512

              16d47279e9544b51242b548018495c33792a0f902b15131f95e024c24b41b38f02705a80e6a94f0916064bf3020234bb07b7bb8a74f700763febe6f54b964b97

            • C:\Users\Admin\AppData\Local\Temp\d.bat

              Filesize

              129B

              MD5

              e8d125eecfd718eb049687bc0bfe2252

              SHA1

              7be3dbb4578a9dfb836d8b420be7f54dfda0e332

              SHA256

              ff389a2d72dad44c1173e0846a45f203a36702b2425ab879d26f002a4e786cac

              SHA512

              bcfbd08de6075f57e18fb7048c23e770c6b86e00ee1f723d2e5f0fd248fe884c30e2e29208cc5229e4873245cec5a8bfad03dd9d4cc1a5e980f0b1029f7a624d

            • C:\Users\Admin\AppData\Local\Temp\nsb7D21.tmp\ExecDos.dll

              Filesize

              5KB

              MD5

              a7cd6206240484c8436c66afb12bdfbf

              SHA1

              0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

              SHA256

              69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

              SHA512

              b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

            • C:\Users\Admin\AppData\Local\mfcoms.dll

              Filesize

              92KB

              MD5

              969e89dc4a97415805530b6717bc8f51

              SHA1

              d46cedb74ecfc6eab0b089d0639263f97eeef618

              SHA256

              b96665f4e65f014fbe43d2496273f6addf9a5ae799508ee2214ed5ba30180291

              SHA512

              7fda06061c302a17c1129f08bd6a4d02e9217e18c67fa70b72a4d07fa5aa5505ef7cb29138d2f8630ae9d1ff43e36cf2698a0b1fcbc8d7af5c49f4b7640b5054

            • C:\Users\Admin\AppData\Roaming\DivX_Installer.exe

              Filesize

              123KB

              MD5

              c5fac72a6adb2183930a3e4ae9918a5f

              SHA1

              a3a60097d6312bed4fcda4fa6c4ecd86c140da19

              SHA256

              c27fd98bcf7260783b3b08776a3bbf93576c2e57bf386fa33e02220463496eaf

              SHA512

              70eb0795169781d0e38d023c46e03c9bf2b121c489720a818a0a49a24582310c799b129bcfe412f6c57dac41f0ba43a3feca51cf81f731651cefa0c6391fa47a

            • memory/1624-38-0x0000000000580000-0x0000000000585000-memory.dmp

              Filesize

              20KB

            • memory/1624-42-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

            • memory/1624-58-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

            • memory/3056-70-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3188-68-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3188-62-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3188-69-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3188-51-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3588-37-0x0000000002020000-0x0000000002030000-memory.dmp

              Filesize

              64KB

            • memory/3588-60-0x0000000002020000-0x0000000002030000-memory.dmp

              Filesize

              64KB

            • memory/3588-61-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/3588-59-0x0000000002020000-0x0000000002030000-memory.dmp

              Filesize

              64KB

            • memory/3588-36-0x0000000002020000-0x0000000002030000-memory.dmp

              Filesize

              64KB

            • memory/3588-33-0x0000000010000000-0x0000000010017000-memory.dmp

              Filesize

              92KB

            • memory/5116-41-0x0000000000400000-0x0000000000438000-memory.dmp

              Filesize

              224KB