Overview

overview

10

Static

static

3

JaffaCakes...c0.exe

windows7-x64

10

JaffaCakes...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6f033fc8cd7e34455dd63f02209a2bc0.exe

  • Size

    88KB

  • MD5

    6f033fc8cd7e34455dd63f02209a2bc0

  • SHA1

    f35a5ecdacead5a25f9de540ef7e47d24b84d9ef

  • SHA256

    868f09d969f568588700343e2e9c37544089f1ef9909d1f933f11c761d1f071d

  • SHA512

    991635ab01b60364d2f809b92f24d097abe6f577a2f8250ede7c385f22c81ec93d604cd78a0efce78d4e6ab9c739c5815f18da3d100171581f9cba35f2c2ba9d

  • SSDEEP

    1536:esrnFJekIsOnOCaRIj0oCudDF9DXQIdgikEH7m0:B7FJekX2jaRU0/IDFNQIdgrI

Score
10/10
bruteratelbackdoordiscoveryupx

Malware Config

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f033fc8cd7e34455dd63f02209a2bc0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f033fc8cd7e34455dd63f02209a2bc0.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Fmp..bat" > nul 2> nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Fmp..bat
    Filesize

    238B

    MD5

    9b7e608bf569cef8b7d58e66fe917a61

    SHA1

    9d410d1f8feb4262f0bdc7f3b03baff464d4c218

    SHA256

    65156da8ca2c3d1944bcce1d9b81cd96737ab69d17b6407da5a8ad494b73ece1

    SHA512

    834e968cb83f99a1c679230134b32c0f12c2935d9a663473120298d086de49a9484c8b25309e077bbdf59cf1e315e8b9f3b2fe696ee4359b63413eca5a2824af

    Download Submit

  • memory/4556-0-0x00000000004C0000-0x00000000004CD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4556-1-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4556-3-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download