Analysis

  • max time kernel
    127s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 16:05

General

  • Target

    837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    837b3ee12cc0ddd81bfcf0c7b57e3dfc

  • SHA1

    70612835e9d261454200ce963af55bb553b8b486

  • SHA256

    e356e0ab1bc38eac26f1e4caea3acae40f70b910a961555ae1c6ffa02a4d20a8

  • SHA512

    7df022a6445e09d52c39c717ebc3b77b3201beb2ab09d8c0aea4cc88f4253a708fa63949d27d21f04626fcdbc33bbd6293e3248f792adc7b769c6cec0d8ccca0

  • SSDEEP

    6144:xpMt2bRtHVlAKFMFkBiCl1zfWbq4iofuz3rWrthaU1m4R0a6LD:xpMt2/H/Fxi+1z0q4NWz7Wna

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Users\Admin\AppData\Local\Temp\your_exe.exe
        "C:\Users\Admin\AppData\Local\Temp\your_exe.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\your_exe.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4496
      • C:\Users\Admin\AppData\Local\Temp\1281085013.exe
        "C:\Users\Admin\AppData\Local\Temp\1281085013.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 580
          4⤵
          • Program crash
          PID:4060
      • C:\Users\Admin\AppData\Local\Temp\install.48596.exe
        "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 408
          4⤵
          • Program crash
          PID:1188
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2092 -ip 2092
    1⤵
      PID:2316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
      1⤵
        PID:3500

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\domain_profile[1].htm

              Filesize

              43KB

              MD5

              f1f2b7aaee1e44a366db28c98a515f94

              SHA1

              953fd34b1ca2e3558cda001be4adbb2d5d033134

              SHA256

              1963792c0cd11a3817682cf30395d90e49869d8c31030622585dce3053da259b

              SHA512

              2a9f6235fbb59046b3ad2f6483ea7b8d7f48c90ae57e4e704732fc9d9b2fdda8a9f9e6a27bba697e96b99f32bafe9a4ce96bac6310586c54a9e2e433e3f535e9

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\domain_profile[1].htm

              Filesize

              8KB

              MD5

              3fa9af629784122319066f2d1cae66d8

              SHA1

              98737ac0c9f86fcdbf94e2dd162663bdbd26c5e1

              SHA256

              067506f7c94f53c20c3a289dda6e8812babbf5dc9a1a140e3a00b0f35a571f33

              SHA512

              dcea7c1a3ed124fcbb4aa0c1d38cdb46c0d703f08ab0ac0b9394a6cb22a398cb6221fc4d594aaa792f589ca2f6bf9b0b49622faf3b7de7a795339f0525a5096e

            • C:\Users\Admin\AppData\Local\Temp\1281085013.exe

              Filesize

              92KB

              MD5

              73ab199d7ab02007c908122e892ca1c3

              SHA1

              01614a27abc6a64ed6479ca2f6596b8b6d2d31a6

              SHA256

              3d0932127b9ae4643a8040b11deff670ce00844a0a4dc9bccc2cd6f4c715cd5f

              SHA512

              b506ad5d819d4d289148a91c5905cf9e65846c2a4a7f1f51585218728f54dc334c605df5d434f2c97e1bb353d6ec737fbbd3ba7763be107c969a0ff2de7346fb

            • C:\Users\Admin\AppData\Local\Temp\install.48596.exe

              Filesize

              129KB

              MD5

              4eea964cf5ee8eaaa4561798f69ed259

              SHA1

              f6fa8f310f8a439941acbeb25d3653c8cd130318

              SHA256

              3f9ea9e74b1a280508dacd0312b144b1c44d6f08077783656dd45f1b0df9144f

              SHA512

              96d080102bf3e99581b4e8dd98e40174a0709bb237ff042b869fb404ad24ebc4b74e33844bd10c378692c561298dafa346577094b6ae763e5e3740b8c6fb4b20

            • C:\Users\Admin\AppData\Local\Temp\your_exe.exe

              Filesize

              22KB

              MD5

              75ecb408da996d0d7f33dd77f6eb1c9c

              SHA1

              b836e9125bd643358bda960e50637a8ea172b495

              SHA256

              fa8652151b8bb6daeb86b97c5c705886028e587a5be366e0c228849c9bcbd078

              SHA512

              f9933923ccfbc04ddb95090a78698737355128aff01fd2713a1cd029c5c32bc37d29c01714c663eaa89ca604efdd80b16a27ec8ed7eb2769837a7130fa7bbccd

            • memory/372-2-0x0000000000400000-0x0000000000449000-memory.dmp

              Filesize

              292KB

            • memory/372-4-0x0000000000400000-0x0000000000449000-memory.dmp

              Filesize

              292KB

            • memory/372-47-0x0000000000400000-0x0000000000449000-memory.dmp

              Filesize

              292KB

            • memory/2092-44-0x0000000002040000-0x000000000206C000-memory.dmp

              Filesize

              176KB

            • memory/2092-43-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

            • memory/3120-40-0x0000000000400000-0x000000000040D000-memory.dmp

              Filesize

              52KB

            • memory/3120-27-0x0000000000400000-0x000000000040D000-memory.dmp

              Filesize

              52KB

            • memory/3120-20-0x0000000000400000-0x000000000040D000-memory.dmp

              Filesize

              52KB