Overview

overview

7

Static

static

1

56397e94f5...18.exe

windows7-x64

7

56397e94f5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56397e94f5dc73511c146410725bd92c_JaffaCakes118.exe

  • Size

    583KB

  • MD5

    56397e94f5dc73511c146410725bd92c

  • SHA1

    940f18d0785581af5aff5a2f3bac6c83aafaf869

  • SHA256

    b3c2cab864044554e869c383967b0dbafc238705120335231b0a3ea6db06b7f3

  • SHA512

    f79cff76f7fb6eb52966b954b5910560c7f40cedd545b210c30da2b2051924c0f45143ab271d62b19498b90b4669186e0de9ae7071026b91f3a272fcfe173350

  • SSDEEP

    12288:jr3ZBIR6GS4LKcstEw1lqQciur+WjtmhVAgJv:3ZB26GpucsC4uyGKSgJv

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 62 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56397e94f5dc73511c146410725bd92c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\56397e94f5dc73511c146410725bd92c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Users\Admin\AppData\Local\Temp\SetB94D.tmp
      "C:\Users\Admin\AppData\Local\Temp\SetB94D.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\SmartInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\SmartInstaller.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.partypoker.com/pam_images/installer/omn.htm?pid=Poker&bid=WPT&lid=en&sid=1
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4212
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17416 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3916
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17424 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:808
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.partypoker.com/pam_images/installer/omn.htm?pid=Poker&bid=WPT&lid=en&sid=2
          4⤵
          • Modifies Internet Explorer settings
          PID:720
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.partypoker.com/pam_images/installer/omn.htm?pid=Poker&bid=WPT&lid=en&sid=3
          4⤵
          • Modifies Internet Explorer settings
          PID:4060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    d8db597c5e136ab9bdd3f2211335f5b6

    SHA1

    670ef10980647eb882800f7247e1e93e18d94e70

    SHA256

    15151eefc75cd9874103656278d2267c34646e5c8b2fdb939d47bf5c906a7a63

    SHA512

    2eba1faab7bb6ae0a1a8d68604c2eaf9147391731b5ade1855596bcab8e18be4a390efa1a28889a646c62405b08b8d2be0e0f238c81fb4b2d69b74ea3e323f6c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    6909d050a1f7fd7eabf4f4fdcfe47db6

    SHA1

    907f9f934f82c34fe4f235eef723f365097c15ac

    SHA256

    1a70a5bb64d76c68861680c4ca24602cd9fade03152175afa6051a9433dfe918

    SHA512

    57c73d2856c521ab636a260ac1611531afedad633881edf293068f530e2b21186d99117e9e00211b8545b94a4af8c4c43a13815dc0f2122d133dceb39b2d1d45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SetB94D.tmp
    Filesize

    549KB

    MD5

    48a4aa57631b2efa3a8645ddee567e75

    SHA1

    ceb30e4ef076f1c2e1d5bef4e9cdffa66fbd8b38

    SHA256

    0c9e1ca23a6f8b22fc9afe2336caca4ef62d645a5788c8da0552283ae97d8da7

    SHA512

    afde4f90b20b7458463c7fa5ffe0a8013c6b30620fd7557043a13a7868d3202ae34ebfe67dd16c39857afae5d5ed7dd4073c6a65dd18968f446402967d48ebc6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SmartInstaller_Log.txt
    Filesize

    596B

    MD5

    1997c04f1adb8b5e2baefeb0e84c370a

    SHA1

    a78d3f8060ae63f7ce229ad8aa01181135b2b8d6

    SHA256

    3a0b7113f497c835488b4e7c32810f3702c7f65a5bf81e0c0ac52e22b12969b4

    SHA512

    881a40e922d7112104e48666f75099bdd3188237467b103f9ad271fb3bde2c0548150b2fec0eb42361d2818a245fb5fd632f259ce1ec92a8471389374f5b0d63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\BackGround.bmp
    Filesize

    25KB

    MD5

    c24d9f52dbb034a480342551ab8a5c08

    SHA1

    51a7a0ac3e9bbfe573c186225610b113942bd8bf

    SHA256

    9b369792fc959786f5b6b8aa55c0ae3e72daa597f38b29b18c54f378d22ee410

    SHA512

    c80e24b8b6fbd62fda6a79f0dc24e9c0fb53077444f08add51fb5d80b6b70c97d19bbb52358896cad5074c9e067db3fd3a14506c6c56a470c5366396d87ff288

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\ConfigParams.ini
    Filesize

    1KB

    MD5

    0182453f719075db12110aa7e4d062bb

    SHA1

    c4fd383529afd98575901f2906697d27503621e2

    SHA256

    32bee5fd279b31c740d1a3197dddb6be2ea07d65bd4a2fc77d9ebfc1c7089df8

    SHA512

    291ef11a2e25b206f579c965fbe3da239092cc97091a800c7139e83c14f032324429db9a4f6065143612556524e9f0eb9d8d6a56c3a250f68d3ad1df20247ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\Language.ini
    Filesize

    2KB

    MD5

    afc17f76724780b5dd539f260b6300fe

    SHA1

    ba448d377b88e3402ef9ca0cd2717ec8656874c2

    SHA256

    e37cb32e89cedcbf673d44b2c05a1945011453c46c06fb2b8cedbd221d4afbdd

    SHA512

    254ed1d86db32f7358262e4dc7f84654cc17083808f7924826622181c68ce23788f21a98339a0d327537e8a6172199dd576b670430c28f3454bb4d8373b155c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\Preloader.jpg
    Filesize

    23KB

    MD5

    9e24d0b9982b61afc80a2e864e12c86f

    SHA1

    50776d36efdb0a660f5781f63a2884e53becd884

    SHA256

    f15140546b8464c59a3fa0fe8991d7132bab87465015a276c34966d995ab3020

    SHA512

    42bcb36bcffc8ce08d78fcb930da5324ac8afa10c085a7f2ff6360db87483c1ea072fd54fb94f3a44a5669245b6ba59e966a62a716f3c33b021b3e05398947f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\SmartInstaller.exe
    Filesize

    604KB

    MD5

    f13a917e6b91100bf41459462c957ee9

    SHA1

    793a99248607410cfd53fdd413c1481b4eb899f5

    SHA256

    60dbe785b8b7220cf68ef00acdd3b33e6739389e1eaf11ac15fe46de3cccc383

    SHA512

    2566d6d61c0eb84d5374e13d3e8e53ea770150b91879282d287497932335818d194a2505076fbae524d755d9e1099fc7ff6454fe980dfc2a85b5204de028be31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WPTPoker_Installer\zlib.dll
    Filesize

    52KB

    MD5

    4965107d112666d3835308a831a29274

    SHA1

    50439b99ce525ecb74c554e1dc43ddb39481dfa4

    SHA256

    105280995cd5746078d67b8651dfe4ad2abcd532d7ad528d3100c535b0b538af

    SHA512

    38fa8f0eeadd75bf212eaab458833cfd3445d00f3d77f1f8a86b7c3ba99376231c8b3fc3cfdff6f02f2ca9c90956c76f9055717712d35a7ca7b30172a0010b59

    Download Submit

  • memory/1760-31-0x0000000000A70000-0x0000000000A97000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4924-28-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download