Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 01:51

General

  • Target

    54d303b283679409adb0d34f34573b60_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    54d303b283679409adb0d34f34573b60

  • SHA1

    864feb1110af470f84827ed198fff2a9435b21f7

  • SHA256

    a23f28cc3a6e1718908506e8106d74649fee66776ba9c9a1d111e1fbc700fe2a

  • SHA512

    699af970ecd5fdd50b7c2ac1229b199d4b8abe77aa4c827ccd871b7888eb93919798017e9489ae50682a62dfae4b15a34431dda826783e3f7cfb0ab9dfb669f1

  • SSDEEP

    1536:cCM2LNW+RfAFqkuK9crRoj+tJC3oNRsVGtLytwO:k2pW+tAGKGRoOJaoNKAS

Malware Config

Signatures

  • Renames multiple (950) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README_ASAP.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\54D303~1.EXE" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\README_ASAP.txt

    Filesize

    2KB

    MD5

    a0bca63c8ba75cf1b7a30d0b171f474f

    SHA1

    af8a8153d52ee5d471e7f69b2245683b441b7b7d

    SHA256

    fdac2db3a1b1d199162e8768be32cc0c9e7161556b840c24c7e1928ac3f3f531

    SHA512

    0d68622772132d80fda645fa7cbd45eed8cd5f876da359f4aa735c56adfca949f7b77843301d8f6da26e89ade67daa3341f2edf0d0bcde08599a362b1abdc002

  • memory/2364-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2364-1526-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2364-1525-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2364-2296-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB