Overview

overview

7

Static

static

1

52c22d1e0c...18.vbs

windows7-x64

7

52c22d1e0c...18.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52c22d1e0cdd64be69e8d7f4e44202f1_JaffaCakes118.vbs

  • Size

    129KB

  • MD5

    52c22d1e0cdd64be69e8d7f4e44202f1

  • SHA1

    6351563688e1041b23062dcbf8907cfb941a0254

  • SHA256

    6a82095801b579849f93e58c13f4802ced81a5c3cd5f1283fef41ccdea5807bd

  • SHA512

    df1dcf29e031f17db1e5487c8696aa7eb0bc823460be10cdfc11d7e514f4e64e756e6a6ceb808ce9d89d49876faa0cee45d516518c145cba74921768dea219f8

  • SSDEEP

    1536:bv0thf2r6TbJgT3c8henl/Rq4xRMzyVqDa9Ii0eldJJgV3n97llGAmH+4dfrzyI7:bv06uJyxUl00Vh9Ii8bkJeozBXEc4dQ

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c22d1e0cdd64be69e8d7f4e44202f1_JaffaCakes118.vbs"
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Test.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3868
        • C:\NewTest.exe
          "C:\NewTest.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 224
            4⤵
            • Program crash
            PID:2468
          • C:\NewTest.exe
            C:\NewTest.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3040 -ip 3040
      1⤵
        PID:3600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\NewTest.exe
        Filesize

        64KB

        MD5

        dcda91587cda12c075c612881b9f7a72

        SHA1

        5b1d83b4e622ed037aeaf9ed49ceaffe90e70e27

        SHA256

        6a4254f1a181a6421f904048f35054df58393e782c854b53a9ac12c55c32cc81

        SHA512

        cbe1fbb0873c80d65f5365fb97e103511174b46e215506ee156307b6bb5d23411b511f7243eb8f364ec6dad214380b34fb0941a73ecf639f9b219d19976f7d55

        Download Submit

      • C:\Test.txt
        Filesize

        2B

        MD5

        81051bcc2cf1bedf378224b0a93e2877

        SHA1

        ba8ab5a0280b953aa97435ff8946cbcbb2755a27

        SHA256

        7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

        SHA512

        1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

        Download Submit

      • memory/2372-11-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2372-13-0x0000000000400000-0x00000000004083A0-memory.dmp

        Filesize

        32KB

        Download

      • memory/2372-15-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2372-16-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2372-17-0x0000000000400000-0x00000000004083A0-memory.dmp

        Filesize

        32KB

        Download

      • memory/3424-18-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3424-19-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

        Filesize

        4KB

        Download