Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe
-
Size
46KB
-
MD5
6fc905b30fdd606e00e0221b602f012f
-
SHA1
eb2ea5938df07da8e7d0686ccc6c2248dc840e3c
-
SHA256
a83681e39976317c618f30662d8429100d865bd44b19b7e594bc40a8ef80cd40
-
SHA512
d4f1f0aa564bef2b6b80e3f57eee646276faf1e4b09246c8688b9b6f0b6b93547bf1c2b57e5d52db05d32b6bce5c4cabe60fb264c2d9996fddfe1f99cc39ba08
-
SSDEEP
768:y+Py3kA+wcnFuIgFfrnQvEuUjaiQrcyo0mpbU4fVIkNCtD5xt2xgMqUgPiRPdaQq:xP6+NGNLjWsfl1NIkNctmgMpRPdaRq89
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\husjdd8s\ImagePath = "C:\\Windows\\system32\\husjdd8s.exe -j" 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2032 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 husjdd8s.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\KillMe.bat 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe File created C:\Windows\SysWOW64\osiesd3.dll husjdd8s.exe File created C:\Windows\SysWOW64\husjdd8s.exe 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\husjdd8s.exe 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe File created C:\Windows\SysWOW64\husjdd8s.exe husjdd8s.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language husjdd8s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2220 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe 3028 husjdd8s.exe 3028 husjdd8s.exe 3028 husjdd8s.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2032 2220 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2032 2220 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2032 2220 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe 31 PID 2220 wrote to memory of 2032 2220 6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fc905b30fdd606e00e0221b602f012f_JaffaCakes118.exe"1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\KillMe.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\husjdd8s.exeC:\Windows\SysWOW64\husjdd8s.exe -j1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD54e41849eb49a7489f76ca122d4e3c5ad
SHA154f03214e139c0a0813ea08cf18f96ba7419d0e7
SHA2563da7e3dc1ee53f2ced50ee3acc50ec6c6cc449ecf1cfb96fbcc18f29c7449584
SHA512f23d62de1c2d5852d4f25fe708f1c014d3ad2dd59bc71716ac5fd82ec3566c896a92a8c356ac0b22370eee4918f818182e10d0ff179f41a8993f652152995b83
-
Filesize
46KB
MD56fc905b30fdd606e00e0221b602f012f
SHA1eb2ea5938df07da8e7d0686ccc6c2248dc840e3c
SHA256a83681e39976317c618f30662d8429100d865bd44b19b7e594bc40a8ef80cd40
SHA512d4f1f0aa564bef2b6b80e3f57eee646276faf1e4b09246c8688b9b6f0b6b93547bf1c2b57e5d52db05d32b6bce5c4cabe60fb264c2d9996fddfe1f99cc39ba08