Overview

overview

10

Static

static

3

a5d0e995d4...18.exe

windows7-x64

10

a5d0e995d4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe

  • Size

    662KB

  • MD5

    a5d0e995d43232bd4b3d73f8899b7ef0

  • SHA1

    46e06085c542f69ca2a78bba9f4eaa0ad77b1713

  • SHA256

    597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

  • SHA512

    c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

  • SSDEEP

    12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\System32\mousocoreworker.exe
      C:\Windows\System32\mousocoreworker.exe -Embedding
      2⤵
        PID:3384
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:3304
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
          2⤵
            PID:824
        • C:\Users\Admin\AppData\Local\Temp\a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3436
        • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 684
            2⤵
            • Program crash
            PID:4644
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 704
            2⤵
            • Program crash
            PID:3184
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
          1⤵
            PID:2644
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5016 -ip 5016
            1⤵
              PID:1060

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\USOShared\znhmfgj
              Filesize

              654B

              MD5

              bd8a66874303aacba0ca8313751d5892

              SHA1

              ac7fcca298e8d9c8d73b70354d02c9e526351b00

              SHA256

              e7dc06f0747f9f2b32f64cfe754bbe0d3c3d485f889f25d7e913e9a5e3c23a41

              SHA512

              0a8a0382e9558d7727d01fbf159b6beb8387a02d917f71503641d77310edb1f00fd4709496315355ce081bab1f62d1de234619a6060d7d4bc9fca8c42cd28148

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
              Filesize

              662KB

              MD5

              a5d0e995d43232bd4b3d73f8899b7ef0

              SHA1

              46e06085c542f69ca2a78bba9f4eaa0ad77b1713

              SHA256

              597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

              SHA512

              c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
              Filesize

              129B

              MD5

              a526b9e7c716b3489d8cc062fbce4005

              SHA1

              2df502a944ff721241be20a9e449d2acd07e0312

              SHA256

              e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

              SHA512

              d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

              Download Submit

            • memory/816-11-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-9-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-12-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-17-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-15-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-51-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-221-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/816-3385-0x000000003BF40000-0x000000003BFB7000-memory.dmp

              Filesize

              476KB

              Download

            • memory/3436-0-0x0000000000970000-0x0000000000B8A000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3436-1-0x0000000000B90000-0x0000000000DDB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/5016-6-0x0000000000A50000-0x0000000000C9B000-memory.dmp

              Filesize

              2.3MB

              Download