Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 10:20
General
-
Target
e101b5373089ee47b3c267f2d346de65_JaffaCakes118.exe
-
Size
635KB
-
MD5
e101b5373089ee47b3c267f2d346de65
-
SHA1
f74216e5973d16303781ae7ecb605b628648a95b
-
SHA256
da19464234b78daa22a5e87253eb150827e4216bc10d5bd2393ceb9984cbf539
-
SHA512
bfa825c1fb2bdce4eca3bf825d7aab27780a8f2ade3352ec864f2eed7c861f297db6886f232ab677df1cfa31d964383344fbdb1bc29013979642b3b86cc90a4e
-
SSDEEP
12288:q5dFxHPvtS8ULd+mQb+mQwWhhhhrE6zTNhhhhhJsni7lhjPyTCIPNekH9h7ukzi8:q1JPvJULd+mQb+mQwb6hhe19ESiWy9E5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e101b5373089ee47b3c267f2d346de65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e101b5373089ee47b3c267f2d346de65_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\stuckssssssssss.exe"C:\Users\Admin\AppData\Local\Temp\stuckssssssssss.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7803⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Systeme update.exe"C:\Users\Admin\AppData\Roaming\Systeme update.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Systeme update.exe"C:\Users\Admin\AppData\Roaming\Systeme update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Yzanbhdckbmqnu.exe"C:\Users\Admin\AppData\Local\Temp\Yzanbhdckbmqnu.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617B
MD5e07efe3f1e4fcc39483a46d0644e1750
SHA1083566e513d8090982a8f2d2c57864f7e5eea721
SHA256d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617
SHA512e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474
-
Filesize
27KB
MD500bcd4b2279192f1c1ab891dd6e4f8a9
SHA1fe2f6a18f1cf05845986bba18eec6cef8f384a7a
SHA256ec0f19ba745d906933378b22fd33de72d4b02f36061e28014b943e85573ec1b2
SHA512365922001e000d93b501b108332063973b0518b357f5295e94ceddbd0b9746be88d6f110ac40cdfb3d0a9c9405c1d8917d1328b66a6ee27a416b2557bbd8aee6
-
Filesize
237KB
MD5541a97219a94deaff2f3fad462ccaf0b
SHA1aa76d0a36b0ce118c1bb5d81e4d3ad4cb39c9c12
SHA256a8a01af1b5b629ce9c2866cba6459fc05052b77d70f3a93012ecc69e4ed209d6
SHA512d18bf28d9b817c144ba5e9184a3f6d256ab990eb1b90b6be9a77b8edab158ab6e8b3b8047adb28385b5859474433b5270d29b9ef3389ed5b009ef0255d00d581
-
Filesize
1KB
MD524c8b081057dde3fb93a40dd4cb2990d
SHA10670822ed20d0b808f3027f3cc8e4842bbe85232
SHA2560a46618b024e07c3c15b768125bd70882ee1f6dfb6ff4592144f07e28d5c6f1b
SHA5121378da182a165173b35ed1783dde5201df23a3f2415d73259cbf8d34572de1918739c31f27ce346135f1ca3237cca36fbaaba3237d6973f5b0c76116d44e9146
-
Filesize
1KB
MD569ab968db0b12dae68681deef9426241
SHA11d1b5d0ff75d3610ad73d0d5ec0a2476dc6e16a0
SHA256d59f9976085986ac5d2c93817333b89ff42a27cd91ef1938b16bc9b395075b6d
SHA512e4b9391114e936d09026f66bcd2ec44bbd2f00287446d772200c2db8e10d43b12af43d2743653f38678d228b14a96962ddb171f7e2b0a1cfa47da5b724d8de5e
-
Filesize
635KB
MD5e101b5373089ee47b3c267f2d346de65
SHA1f74216e5973d16303781ae7ecb605b628648a95b
SHA256da19464234b78daa22a5e87253eb150827e4216bc10d5bd2393ceb9984cbf539
SHA512bfa825c1fb2bdce4eca3bf825d7aab27780a8f2ade3352ec864f2eed7c861f297db6886f232ab677df1cfa31d964383344fbdb1bc29013979642b3b86cc90a4e
-
Filesize
48KB
-
Filesize
804KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
664KB