Overview

overview

10

Static

static

3

ceaaeb1712...18.exe

windows7-x64

10

ceaaeb1712...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceaaeb1712019d430836876402e557e0_JaffaCakes118.exe

  • Size

    714KB

  • MD5

    ceaaeb1712019d430836876402e557e0

  • SHA1

    2ab07d22fd77078e77aa3a635ad9d16f7b6a7fb1

  • SHA256

    7ab006f651a322f3e0a931b4c996ab6a0376848fcf2b105aa60ad1f0509cf11e

  • SHA512

    4923abc558f63f1c995592c08071fafbc7d6bdc9d45ad6ab1039bf929a5a4cb1396aaff1d334ecf8f27b1f6bdb313bf7f40996acb3bd6b2d86a9ca91d8bc7b4c

  • SSDEEP

    12288:bE21sNQUTjzo7nFcC6V0Wu+vvg7yXru6O55IENgC2QUT0uDYyuXdNfkd9R4au:JsNnD6evI7yb7MIabC0uh4dJQe

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\System32\mousocoreworker.exe
      C:\Windows\System32\mousocoreworker.exe -Embedding
      2⤵
        PID:740
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:4048
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
          2⤵
            PID:4296
        • C:\Users\Admin\AppData\Local\Temp\ceaaeb1712019d430836876402e557e0_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\ceaaeb1712019d430836876402e557e0_JaffaCakes118.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Users\Admin\AppData\Local\Temp\ceaaeb1712019d430836876402e557e0_JaffaCakes118.exe
            C:\Users\Admin\AppData\Local\Temp\ceaaeb1712019d430836876402e557e0_JaffaCakes118.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2400
        • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
            C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 632
              3⤵
              • Program crash
              PID:5096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 676
              3⤵
              • Program crash
              PID:4964
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872
          1⤵
            PID:3952
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4872 -ip 4872
            1⤵
              PID:3308

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Adobe\znhmfgj
              Filesize

              654B

              MD5

              d183e46a1187ec47b16b4b141dfa1a28

              SHA1

              4eb1e5483d1e782d421141e9ff44be2846549862

              SHA256

              5d33643375d3bc3a13c8167ab79eb07ee98d10abcea1a439b6ddf80e743c2911

              SHA512

              631baadda7b75524574a59e5233645181b09da995eda4feaa2893dd7a415be9436a56a2258624b58fb37002ced8f6ec76d84a450cdb53acb1bebaff97ed80c54

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
              Filesize

              714KB

              MD5

              ceaaeb1712019d430836876402e557e0

              SHA1

              2ab07d22fd77078e77aa3a635ad9d16f7b6a7fb1

              SHA256

              7ab006f651a322f3e0a931b4c996ab6a0376848fcf2b105aa60ad1f0509cf11e

              SHA512

              4923abc558f63f1c995592c08071fafbc7d6bdc9d45ad6ab1039bf929a5a4cb1396aaff1d334ecf8f27b1f6bdb313bf7f40996acb3bd6b2d86a9ca91d8bc7b4c

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
              Filesize

              129B

              MD5

              a526b9e7c716b3489d8cc062fbce4005

              SHA1

              2df502a944ff721241be20a9e449d2acd07e0312

              SHA256

              e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

              SHA512

              d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

              Download Submit

            • memory/796-26-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-24-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-3396-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-232-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-50-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-65-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-20-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-18-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/796-21-0x00000000041C0000-0x0000000004237000-memory.dmp

              Filesize

              476KB

              Download

            • memory/2400-4-0x0000000000401000-0x0000000000402000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2400-5-0x0000000028C70000-0x0000000028EBB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/2400-2-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2400-1-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2400-3-0x0000000028A50000-0x0000000028C6A000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/4048-0-0x0000000002280000-0x0000000002284000-memory.dmp

              Filesize

              16KB

              Download

            • memory/4380-9-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4872-15-0x0000000028CA0000-0x0000000028EEB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4872-13-0x0000000000400000-0x00000000004A4600-memory.dmp

              Filesize

              657KB

              Download