Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 05:05
Behavioral task
behavioral1
Sample
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
-
Size
497KB
-
MD5
77227411ed5a56e7f8caaaefb8551b11
-
SHA1
6da36bf8e984c65361f8c473a14c63d6532780ac
-
SHA256
3b776b91821efe686c53d5dff43dee312849131ecc6ac4ab92a3b6c4cc861071
-
SHA512
98e906cc55e8cdfb6832a76b5f315e49e6ef543d9896dbc5206990c6c43d11eb92e9d861212b1c06bcea1b6579c11b9210f0746e7cdc8b5ec2b21ee10abc1d6f
-
SSDEEP
12288:ReGtVfjTQSaoINAHT1ST82epyJ5JUkmoGNA:RLt4/NAwTWpA5aPK
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2384 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
musuv.exepowaq.exepid process 2552 musuv.exe 2764 powaq.exe -
Loads dropped DLL 2 IoCs
Processes:
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exemusuv.exepid process 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe 2552 musuv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exemusuv.execmd.exepowaq.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language musuv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powaq.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
powaq.exepid process 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe 2764 powaq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exemusuv.exedescription pid process target process PID 292 wrote to memory of 2552 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe musuv.exe PID 292 wrote to memory of 2552 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe musuv.exe PID 292 wrote to memory of 2552 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe musuv.exe PID 292 wrote to memory of 2552 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe musuv.exe PID 292 wrote to memory of 2384 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 292 wrote to memory of 2384 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 292 wrote to memory of 2384 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 292 wrote to memory of 2384 292 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2764 2552 musuv.exe powaq.exe PID 2552 wrote to memory of 2764 2552 musuv.exe powaq.exe PID 2552 wrote to memory of 2764 2552 musuv.exe powaq.exe PID 2552 wrote to memory of 2764 2552 musuv.exe powaq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Local\Temp\musuv.exe"C:\Users\Admin\AppData\Local\Temp\musuv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\powaq.exe"C:\Users\Admin\AppData\Local\Temp\powaq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5680defa5b44421ef7593588d21774a3a
SHA12afe4fe922217bcff4d30da926ea316f1ef40a51
SHA256a43794c3a6e03c1513a14d5eb1a70229957907809f0cb12bc6ad71551fa84de6
SHA5126b0fa160767207351c7688db84e99e28f60936ca88295f33d3c7d3060c73368f76a5c12df3ed98e2bdcfa391b41303b25fc61f7f07e492f6073d2740c1f13f23
-
Filesize
512B
MD540904c995a9d10389928fc505460ac0d
SHA18dc4b8bcc338b0309e38ac4be95112e68f6ccc0f
SHA2561e74e35f0c0737f46cfe550b509076fe84e4286c632470515b6f305b31b9feb4
SHA51280a379e19cdbbdc693e739476e0639602618dfae546749a86fe6690b6528a9b4fb35f230be05fffd7fcf4a81808822bd77e21192730012381ced8f2f86b58500
-
Filesize
497KB
MD53d132e51ae58ada734daf9e8293d41e2
SHA1f9e6670a780a75106c24c5a124f14c090e6d9f68
SHA2562e809f7dbb1a10dd3bfcddc536e9831742e1fa7553646bf4e984c7f1780dfb09
SHA51251618cadaa9e56044bb16bb84f3bf5e7794a1f94ebbfc3dae4fe16c8b49b066ad4581f229d197b50ff73fae650b222caa2e00518694bca3f166e8ed42b080195
-
Filesize
202KB
MD58b33f05e83326b0f1cfa5f764b063d1c
SHA12dc8d1fe911855f38c75c1e9172c414df451da5d
SHA25603ecc0867f4da60c12007ed76da5c1943e4f44a369f29c70bcb3e99a0cc50f8e
SHA51200aadfcf736a40fc6e1c285eed9edfa42183a6c20780d7ac9de2548a68bfa1d8018f3244fa24a352d9af31188c415be19128b4c026a4a6632f29d14ab69375cf