Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 04:23

General

  • Target

    819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe

  • Size

    136KB

  • MD5

    819de36e469867c9d6c6fdf84bcd9a9d

  • SHA1

    8b61fe4d039453cb6f6ed9e116176b7a3a41f340

  • SHA256

    debc992881ed63f6c7fcb5c39e7cb69c26ec9735c4a9bb6febbfe8c9d0d818d5

  • SHA512

    420b375ee4c1d1eda4c7b77b7999fe0a2d88920bf7d0b0b1d958f21593319424233f7b17f0d3e9e4f6ef26213e1febd9e7860d3f04b5cbb6100fde90da5a0c0b

  • SSDEEP

    1536:S4+aEpOwd/VxDy/5X2++jCx3kdjKsPGR7ehp3vmLvsZIZwTcNhLx8bZJLtgm8iuA:obpDCw1p3vmLvsZIaVwiwDcD

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3392
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2392
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4352
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3944
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1508
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:624
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3456
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4536
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:700
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1224
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1576
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:368
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3848
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4996
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3412
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1452

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\avscan.exe

            Filesize

            136KB

            MD5

            b5436bb6df903f83779bedd3c168595a

            SHA1

            3fae3dc913f5247bafda3892587a63a4d0ea9815

            SHA256

            6c39ffa70d9994088d17894aa3f931e44b8a6815953d12058715c1aa93ea5580

            SHA512

            f20dd032a08a33e24630332347ae34c7eb76f3baa75995f0d7205d9070bacb3a4aa5e9b7412b9c95fe59815938548e311fe3eeffc5ed6d026a8b7cb21a98bdfd

          • C:\Windows\W_X_C.vbs

            Filesize

            195B

            MD5

            e1ad4129d5dc3012106832f1cbc4eac9

            SHA1

            7c205558c728906c8dcaa5843cd401460ef1ef20

            SHA256

            8197453abdc45c9231e84c5cb41001774165fdf9b884b46e5219ee620c231988

            SHA512

            ec8848d95654cb3679d74cb8168a46db69dec2963a56c5165ba4f196a6fc8a90cfc7c3adae2294ad0f0721a5e263d3d3aba0bb680efa1928ba55638dad77dcc1

          • C:\Windows\hosts.exe

            Filesize

            136KB

            MD5

            56b2092fc836b2997bdf4830b2864a0f

            SHA1

            69d73c28c4af5ad1dcd969523551ca1a10c1c955

            SHA256

            b7ba6ca378593295ed8cdf0e2c8421b09cf47cceac8d32340666a8d46db8985b

            SHA512

            06ff9537e05050aea59accad658cf35c35a586bdf79c3ee814086c1de6e8e89aff220be4988c21cba5edf961364149b90aa02bc89545dadfbf0c0bfeb89197b7

          • \??\c:\windows\W_X_C.bat

            Filesize

            336B

            MD5

            4db9f8b6175722b62ececeeeba1ce307

            SHA1

            3b3ba8414706e72a6fa19e884a97b87609e11e47

            SHA256

            d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

            SHA512

            1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b