Analysis

  • max time kernel
    124s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 08:55

General

  • Target

    7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    7794d237b1d5a27fb84ef5e15e43eb0f

  • SHA1

    9009a7bb44d13d799b8db4abc232bac17506b32e

  • SHA256

    33d747c0d7ad69727f5358df0fef7b50491442c73806755428cf5d105cfc5133

  • SHA512

    b68ca025ef6e79f6bcab02fe99182f993269e8202d147a28e385fee451b5bf728a6cb7fa7fe9a7485b5031a03d1875100cb1f847992e137aac61e66fed3bac19

  • SSDEEP

    384:iXdGP+MQ9aBfDnnZI1k/9lM0R5qWn3U38wkuFSPTAPJTW5Z:aGP+3aBLnsk/XM0RQW3U38wNSb4JTE

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe" TWO
      2⤵
      • Server Software Component: Terminal Services DLL
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1524
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k bvmbnc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\bvmbnc.dll

    Filesize

    17KB

    MD5

    30cea981379523446b0bfd8cab4b425d

    SHA1

    dc8ec65a05922fe8505c8a9db37cf9f760804aed

    SHA256

    251349d010fa7d445a7b8b01459ed3a51a71d74a55f4dc966efbcbac1fa1c009

    SHA512

    b49db31bf646ba630293b5fb8ef26beacbf480488e09256181d6b2a76ff19b8371b24bd3fd1928447ea65b1dcde1c9c5a44be77867de5def6be7f3aeaad56516