Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 11:20
Behavioral task
behavioral1
Sample
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe
-
Size
101KB
-
MD5
7805e6298903cbd07833d6d7b4147458
-
SHA1
2abad5544ec45b78eba1d2a38a26167c25197bd5
-
SHA256
a882cd36825d6e74446f7e4654b5658c0e350c6a473db3542c537959cc661499
-
SHA512
5214889cda839857f226c7225021d9a0eb7e2fb239a534d81e6075998ae5bfb6102ead0388cd7fca96ba017de17068a46218a59ff31634e825d195be23236727
-
SSDEEP
1536:39XM2K4Y3kK5MNq5cktsVPkRcT5nEYJyuXtg/I/rSL5+Fj7z3nYxt:398xkK5h5xwPDTZrJ/rq5+Fj7z3nYxt
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
viewermatrix.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 viewermatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE viewermatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies viewermatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 viewermatrix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exeviewermatrix.exeviewermatrix.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language viewermatrix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language viewermatrix.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
viewermatrix.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix viewermatrix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" viewermatrix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" viewermatrix.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
viewermatrix.exepid process 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe 4060 viewermatrix.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exepid process 1484 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exeviewermatrix.exedescription pid process target process PID 4772 wrote to memory of 1484 4772 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 4772 wrote to memory of 1484 4772 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 4772 wrote to memory of 1484 4772 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 2932 wrote to memory of 4060 2932 viewermatrix.exe viewermatrix.exe PID 2932 wrote to memory of 4060 2932 viewermatrix.exe viewermatrix.exe PID 2932 wrote to memory of 4060 2932 viewermatrix.exe viewermatrix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe--aeaf4a342⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:1484
-
C:\Windows\SysWOW64\viewermatrix.exe"C:\Windows\SysWOW64\viewermatrix.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\viewermatrix.exe--aa07e9a52⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4060