Analysis

  • max time kernel
    92s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 09:15

General

  • Target

    JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe

  • Size

    21KB

  • MD5

    e2ab329f47ca52275fe77460d00da716

  • SHA1

    dda35e2315bb69ec5bb96be604be4034b67a7d41

  • SHA256

    aa84389732f1c42c53d5502abef1804ac4f51cbaf0d14daeebb678bb7ba4c9d3

  • SHA512

    23b2f436fbfa056056dd4bfcec9998cd60a04fdf7b310aa6ad3a6238c34edff1565a1c1718bb96c517130d3f59176848717828c0cff1cbfcbdadfe1262e9030a

  • SSDEEP

    384:Jil28pZyij4P1DBh4+Itd71DoSk4Nl1IJclGsjHlXGfLCBe/cTqH3Y:Jil2+ZDe9h4+Itd71En4Nl1pMsjHlX2z

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2988
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3092
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5a279vn\imagestore.dat

    Filesize

    4KB

    MD5

    83e824a59a0f049547fce5f47a763d3e

    SHA1

    c22d5c004d59efc4d5bf83d9012f9419154e89bc

    SHA256

    63d9b7084e3042b25231ea447be350cc5b9e5c6f8c9e096b85d04bc6120b9d09

    SHA512

    be008e7b6fd0516e12306e57af0a708c90b0be31d52dad4d91d7d312bc97a700775eeac74d83d73509775646fea3a90c0c8634997afab2959272f280e91b4532

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\fav[1].ico

    Filesize

    4KB

    MD5

    b664b38d499b4379466e2d7ea4d87768

    SHA1

    8f86559f1d84fafa66dd297a597e8367e6f2b149

    SHA256

    16c1ef6558c2cf557c10dc33a08bb7b4663ab7154d48651dc3de8a28113fff5a

    SHA512

    3d8dc1bccae0aa3ca9aef97c6df171a442ee1602ad97d6ff601726a0537c1a25b2e2c213a003f56461526a3f8242dfbbff6d9ecefc150ffa739efb3386f118d4

  • C:\Users\Admin\AppData\Local\Temp\a.bat

    Filesize

    38B

    MD5

    1bb08e1de6d8206457ccb5be7eaa90a9

    SHA1

    b895eee036fd4bbf20378b7bf71102fc1bf6de55

    SHA256

    acbe661b5145045fa3f319f23ca6d6043cb176492d2f7bb291880d107ec47d48

    SHA512

    4f905a5dac2249006262e93609428b8bb0305ca65eb61e2fe5e077db3e098e84a6cf4733b2d1a927f2f4ec2c2aa2ee7128b5cb735fb2aa922107612482e44f9a

  • memory/2680-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2680-1-0x0000000002180000-0x0000000002185000-memory.dmp

    Filesize

    20KB

  • memory/2680-48-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB