Analysis
-
max time kernel
6s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28/07/2024, 01:42
Behavioral task
behavioral1
Sample
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
-
Size
229KB
-
MD5
05276fec4d22dcdf33b18ca59fcbcc2b
-
SHA1
81f09ddd31ca6d3bff7eeec1d67f55e407e1a9b5
-
SHA256
077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808
-
SHA512
eda72239d3563d5bce76d0fe99f99c29ce63b1cd2e9b9d1774095bea2a3ea3d5bd1996eb825ac08ede68aa2b96f8c8d02980a61c1e1bb95e4dacdfcf3ba05e3c
-
SSDEEP
3072:U6jI9XJy7rww9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTTTTTTZ:XUZy0qzn76ppggmhOF0HFZlxU
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000012117-29.dat aspack_v212_v242 -
Executes dropped EXE 4 IoCs
pid Process 1844 MSWDM.EXE 1696 MSWDM.EXE 2692 05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE 2756 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 1696 MSWDM.EXE 1696 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe File opened for modification C:\Windows\dev9E42.tmp 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1696 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1844 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1844 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1844 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1844 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1696 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1696 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1696 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1696 1900 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 31 PID 1696 wrote to memory of 2692 1696 MSWDM.EXE 32 PID 1696 wrote to memory of 2692 1696 MSWDM.EXE 32 PID 1696 wrote to memory of 2692 1696 MSWDM.EXE 32 PID 1696 wrote to memory of 2692 1696 MSWDM.EXE 32 PID 1696 wrote to memory of 2756 1696 MSWDM.EXE 33 PID 1696 wrote to memory of 2756 1696 MSWDM.EXE 33 PID 1696 wrote to memory of 2756 1696 MSWDM.EXE 33 PID 1696 wrote to memory of 2756 1696 MSWDM.EXE 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev9E42.tmp!C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
- Executes dropped EXE
PID:2692
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev9E42.tmp!C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE!3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5e9c2bc594e99b189442e1ba1354dc24b
SHA103dad0b158fd8465f0c0fa17e5cc86d1f146d6f2
SHA2560cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623
SHA5124bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79
-
Filesize
48KB
MD52cc0c2ba0c6d47e75f86d4257b97bfee
SHA13c6682ce02e8d27cae1660331b6aef93e2d1ffba
SHA2568be865e79fa8a2025e0b8456fae9a4a9fc49fd17b0c6055787a1a8f2bc89bf78
SHA512856d51b39e7f47701f886bb9e2b56ef3c0368d0b5e46bfd32b1fe08342d2f2e7941ae946ea8f40ff4a9b77ff438b092328a609cae9ebe61595fb55bbfc6914b0