Overview

overview

7

Static

static

3

JaffaCakes...76.exe

windows7-x64

7

JaffaCakes...76.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe

  • Size

    1.1MB

  • MD5

    89b60c1e93170e9d6e525d207f032076

  • SHA1

    512d51b15fc9434b1071fbd2ce2facd3f650739b

  • SHA256

    6cf8a6433f7cdedd2ecaa24efb6422f054a1ed6a3d1c6ce30597c5f2cf50dc53

  • SHA512

    f5a058793b9a6124e4264b6e7ced0ce23f90c44937921855b13e536adabea1e0901acffad2e420e52b88b4fefc224645aa8cb97d06eb546fdf2d3587698c9f1a

  • SSDEEP

    24576:skWAAuqryme6TrmevgdsIXB498R2h6vhP0OvJMVBYKx89qXCjKOJ7Rm6Mx3:sLekyeysIR7R2M9vvJMV/x89qyXRk5

Score
7/10
agilenetdiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\win64.exe
      "C:\Users\Admin\AppData\Local\Temp\win64.exe" -pdf2h2u2a
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Local\Temp\iBot.exe
        "C:\Users\Admin\AppData\Local\Temp\iBot.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1060
          4⤵
          • Program crash
          PID:4832
      • C:\Users\Admin\AppData\Local\Temp\ejj.exe
        "C:\Users\Admin\AppData\Local\Temp\ejj.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940
    1⤵
      PID:5764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3620259e-386a-4fe2-9fab-cbebcf3ad4ae\AgileDotNetRT.dll
      Filesize

      120KB

      MD5

      dd7c3e58103e7c4392e618cb9c964f7d

      SHA1

      ad10b6dc55e69d37a45fb6b63e920585ed092afb

      SHA256

      ba891b4a284049221c542a85997462092be087f05720f3efc83e632396e519af

      SHA512

      d2943e3bb6ae829be3ee85c2ebd4ed2bee97060ee5bcf28fcbf4d4ef6709dd2da8400cd610ebbbd664d1c2b2ab6b8dd2b81fd8dadf527fb9040c04abbe6e3936

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ejj.exe
      Filesize

      280KB

      MD5

      a24c7caf95c34347b912294b27bb1950

      SHA1

      cf7b9a43af491ea5e737cdfb655e1acbe84b672c

      SHA256

      e965835cab22a6dad2ad11205f3384a1435bfab2ff5d1846dac0a96c390820a3

      SHA512

      9c0a56a15e9db550df7b5f626cc37c0b4c5163743176f3df75dd67843068480cb4feda53bd691ef3288752c15885cba84615e86b687352588afe7a00ef5eda08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\iBot.exe
      Filesize

      1.6MB

      MD5

      7f1971123f20015b8a3141ec276d3d01

      SHA1

      53990455668b450ed58ae18c054ce75aad7e62de

      SHA256

      2fc95ea30a325f1003b5ba9bb874b2919551d02edc831f542287902df77f0bfe

      SHA512

      f6f81d8af4ea7b73536f0a0efab0ea1aec91695bd987441c9513a82fb4f48fef59c41aebd30589d78bc4a5d158c996d0d56d1c38231044793c45a5c3f99aca07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\win64.exe
      Filesize

      1.1MB

      MD5

      d4eced446ea28c87249be3c427a5075d

      SHA1

      06fc129159087214e6d574ff6628ef4f504bedf8

      SHA256

      839ce078e1f9542ff80ee7141987daa8c6ed33f085cc0ecab0b964f5319d0e14

      SHA512

      7b96725baeddf47d6c57cd0d529b083a02bbdd0e0d476b728e4da59c15e4f2b2f59fb5ee785cd44e3f248bee13f3c882b2097fd4a8218b0e420d832606f6a675

      Download Submit

    • memory/4940-31-0x0000000000620000-0x00000000007C6000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4940-33-0x0000000005100000-0x0000000005192000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4940-32-0x00000000057B0000-0x0000000005D54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4940-42-0x0000000075620000-0x0000000075652000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4940-41-0x0000000075660000-0x00000000756E9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4940-43-0x00000000056E0000-0x000000000577C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4940-44-0x0000000005D60000-0x0000000005DC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4940-45-0x0000000075620000-0x0000000075652000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5024-46-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download