Overview

overview

8

Static

static

3

9f1f16de67...18.exe

windows7-x64

8

9f1f16de67...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f1f16de6755f29a852e3b955a9bc867_JaffaCakes118.exe

  • Size

    5.9MB

  • MD5

    9f1f16de6755f29a852e3b955a9bc867

  • SHA1

    5e5bf75f40b1777176ce36b0ce0ef6014eb6c8ef

  • SHA256

    d563a31a5bea70ba4ac0cb6e52061d1ec18aa0dc30d1c1f3ce16b4377ce8ddc6

  • SHA512

    933373b80525b3cdfc6fc8edaafdb7db9986812ebf44dd40c7d32ab6d8c8ed074df3e97fd933e7018e0e44a88f983705343825cc9a6c2a5ddae8cf04f1e89718

  • SSDEEP

    98304:1bYLG01chcME9qGigwR8hcfMksQbzAfVrYe5vDCzd38moANZ1lv33:1OtoGhcEkszd5GJ33

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f1f16de6755f29a852e3b955a9bc867_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f1f16de6755f29a852e3b955a9bc867_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\Project1.exe
      "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      PID:3876
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\saws.wav"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:744
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4e0 0x2f0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Project1.exe
    Filesize

    630KB

    MD5

    6f55750feb16232ed4f3474cd3e0b860

    SHA1

    940ba5ec15b545a2bde8de840ad699d97ec29525

    SHA256

    49329976da56d2ecd8fa33dd086af1079e8a6267288cf9a2c0a261a82a8d8d9b

    SHA512

    3599e2bb49fbb59bdd8c225cd2909df1f8b979573470d358ab250ef5398334c7bda4de670421b02fbb4518889c183d66c0c22127dd95cd75c3e64cd019309877

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\saws.wav
    Filesize

    5.5MB

    MD5

    058bd7ce50e8da302bfd70b9086acee6

    SHA1

    bac29a7529adfb06b09c8a79ebfeb78dc4a1fbef

    SHA256

    49ea0d84b47bef0d038b626187e0b7195ee320caea8ca10e7145487f4bece001

    SHA512

    8f878711be523c2f13e470117e0041a7e18d02bcfa98d3a29875e12dfb845acbcc8344d25474fcf155a2ad661897256780c5f2084e817fc0d1fc3fb3f94eee64

    Download Submit

  • memory/744-41-0x00007FFBC7DB0000-0x00007FFBC7DCB000-memory.dmp

    Filesize

    108KB

    Download

  • memory/744-38-0x00007FFBC8600000-0x00007FFBC8611000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-24-0x00007FF6EB600000-0x00007FF6EB6F8000-memory.dmp

    Filesize

    992KB

    Download

  • memory/744-25-0x00007FFBCC9A0000-0x00007FFBCC9D4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/744-33-0x00007FFBC8730000-0x00007FFBC8741000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-26-0x00007FFBC7E10000-0x00007FFBC80C6000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/744-32-0x00007FFBC8750000-0x00007FFBC876D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/744-27-0x00007FFBCE6C0000-0x00007FFBCE6D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/744-28-0x00007FFBCE550000-0x00007FFBCE567000-memory.dmp

    Filesize

    92KB

    Download

  • memory/744-40-0x00007FFBC7DD0000-0x00007FFBC7DE1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-39-0x00007FFBC7DF0000-0x00007FFBC7E01000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-29-0x00007FFBCC980000-0x00007FFBCC991000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-37-0x00007FFBC8620000-0x00007FFBC8638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/744-36-0x00007FFBC8640000-0x00007FFBC8661000-memory.dmp

    Filesize

    132KB

    Download

  • memory/744-35-0x00007FFBC86E0000-0x00007FFBC8721000-memory.dmp

    Filesize

    260KB

    Download

  • memory/744-34-0x00007FFBB9030000-0x00007FFBB923B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/744-31-0x00007FFBC8770000-0x00007FFBC8781000-memory.dmp

    Filesize

    68KB

    Download

  • memory/744-30-0x00007FFBC8850000-0x00007FFBC8867000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3876-23-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3876-11-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3876-42-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

    Download