Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 02:12

General

  • Target

    812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe

  • Size

    237KB

  • MD5

    812723d3e69a8a9543dd2ebeff8a7fa5

  • SHA1

    52c49fb43ebb5ef733ffe012c392ba8acceee202

  • SHA256

    1ab4bda709b6dec9b2d4df647e0d4372b1aa9a712b65a32fcc33642005d57e08

  • SHA512

    9205f751ecbccb1d62a0236c7ddb4132e797d75a375f9191fd626cb86fde6625bb6bbd0bc00ecc3429ec6e7861b577761745514f4a81a0473066c7a7d7fdbae6

  • SSDEEP

    6144:2bNfTsrH63mizzzT7nn7EqNuaV60k97lUf+Ld:EAe3mizzzTz7Eioh97lFd

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe
      "C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3696
    • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe
      "C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 272
        3⤵
        • Program crash
        PID:364
    • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe
      "C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Msj..bat" > nul 2> nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2412
    • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe
      "C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4660
    • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe
      "C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\geurge.exe
        C:\Users\Admin\AppData\Local\Temp\geurge.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4764
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3216
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2272
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2760
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\tujserrew.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3556
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1540 -ip 1540
    1⤵
      PID:3680

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Msj..bat

            Filesize

            180B

            MD5

            df5f881c0c771871329bf82305b79b20

            SHA1

            62b0c32e61c92a29f1be786cd1634b80ef97d1be

            SHA256

            6566bfa7b5d7565bb5cd35e6f2b4b89cb7d687e17c3919aba50caded602f3904

            SHA512

            3e10b918329a829d53794be7969719b419ee253035c1c35d4031b1e3316a9405f3d97dc369f0f510947207939de55c3f68105d4a66ee0886cf25c70ee0177b0b

          • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe

            Filesize

            22KB

            MD5

            88afc5e074effdce294e0da16c805d0f

            SHA1

            bf5f183d44ccf8fab7462022a464981c59119d96

            SHA256

            a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e

            SHA512

            c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a

          • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe

            Filesize

            58KB

            MD5

            4799c30743d59d162a7a4d0f16bce415

            SHA1

            21b11dfedac88b1009b6459b92076b2278954183

            SHA256

            acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1

            SHA512

            bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd

          • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe

            Filesize

            72KB

            MD5

            2ca85ee33f90ba3705885737aa656a40

            SHA1

            e9f4331ef93d63e1c89707d6acdf699fc095a9b5

            SHA256

            b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa

            SHA512

            9ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787

          • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe

            Filesize

            3KB

            MD5

            46e07fd3a40760fda18cf6b4fc691742

            SHA1

            53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

            SHA256

            bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

            SHA512

            ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

          • C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe

            Filesize

            81KB

            MD5

            28ee9992c5cc76a2a2385eaa7423411c

            SHA1

            96b5485154f44094627770d5fcf7a4a80aaa111e

            SHA256

            9fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1

            SHA512

            16ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e

          • C:\tujserrew.bat

            Filesize

            130B

            MD5

            d08cb97e3b90ca2dac463f834008b9b9

            SHA1

            3db0d4da98d144669284f50d9e8ea87a988ac93a

            SHA256

            033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9

            SHA512

            d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d

          • memory/1156-64-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

          • memory/1156-59-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

          • memory/1156-65-0x0000000000400000-0x0000000000403000-memory.dmp

            Filesize

            12KB

          • memory/2984-58-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

          • memory/2984-80-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

          • memory/3528-66-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3528-67-0x0000000000419000-0x0000000000425000-memory.dmp

            Filesize

            48KB

          • memory/3528-57-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3528-43-0x0000000000419000-0x0000000000425000-memory.dmp

            Filesize

            48KB

          • memory/4764-73-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

          • memory/4764-82-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB