Analysis
-
max time kernel
32s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28/07/2024, 01:42
Behavioral task
behavioral1
Sample
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
-
Size
229KB
-
MD5
05276fec4d22dcdf33b18ca59fcbcc2b
-
SHA1
81f09ddd31ca6d3bff7eeec1d67f55e407e1a9b5
-
SHA256
077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808
-
SHA512
eda72239d3563d5bce76d0fe99f99c29ce63b1cd2e9b9d1774095bea2a3ea3d5bd1996eb825ac08ede68aa2b96f8c8d02980a61c1e1bb95e4dacdfcf3ba05e3c
-
SSDEEP
3072:U6jI9XJy7rww9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTTTTTTZ:XUZy0qzn76ppggmhOF0HFZlxU
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000900000002344f-9.dat aspack_v212_v242 behavioral2/files/0x00070000000234ac-19.dat aspack_v212_v242 -
Executes dropped EXE 4 IoCs
pid Process 3300 MSWDM.EXE 2924 MSWDM.EXE 3480 05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE 2388 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe File opened for modification C:\Windows\devA7C9.tmp 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe File opened for modification C:\Windows\devA7C9.tmp MSWDM.EXE -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2924 MSWDM.EXE 2924 MSWDM.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2112 wrote to memory of 3300 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 84 PID 2112 wrote to memory of 3300 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 84 PID 2112 wrote to memory of 3300 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 84 PID 2112 wrote to memory of 2924 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 85 PID 2112 wrote to memory of 2924 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 85 PID 2112 wrote to memory of 2924 2112 05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe 85 PID 2924 wrote to memory of 3480 2924 MSWDM.EXE 86 PID 2924 wrote to memory of 3480 2924 MSWDM.EXE 86 PID 2924 wrote to memory of 3480 2924 MSWDM.EXE 86 PID 2924 wrote to memory of 2388 2924 MSWDM.EXE 87 PID 2924 wrote to memory of 2388 2924 MSWDM.EXE 87 PID 2924 wrote to memory of 2388 2924 MSWDM.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe! !2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
- Executes dropped EXE
PID:3480
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5b90af47d4837e453736496040934457b
SHA1d9277bfaba433b14eb7383259bdd0789430c069a
SHA256a0396d0287961c9220777ca2a82b484316f3defb9b385d47d44bf1eb72d2db05
SHA512acfe4de56feb4de8631d2c44341d83f478b34f3785e5ca66d61f68efe65ffabad7b693f484e82fc3eea78d4aa6349e88578c03e13c766d72f0219aef46518bfb
-
Filesize
229KB
MD5efc9d61b9c947685d075197bc9727d52
SHA1062ee3711784e7675fc2ff7bd9181ea9219fd6a2
SHA256af8768d3f21f204622ba9b9f077c81dd92ee0ece88087c8091a8cc827bbe28b6
SHA5125ad8ba37a046273023017a18636cf9e4dee16c486a753464684da123e46d78d9a1e81ed915f38e51d85ff8e717ea344713d20cf20b7f5cb817e4e19509e10c35
-
Filesize
48KB
MD52cc0c2ba0c6d47e75f86d4257b97bfee
SHA13c6682ce02e8d27cae1660331b6aef93e2d1ffba
SHA2568be865e79fa8a2025e0b8456fae9a4a9fc49fd17b0c6055787a1a8f2bc89bf78
SHA512856d51b39e7f47701f886bb9e2b56ef3c0368d0b5e46bfd32b1fe08342d2f2e7941ae946ea8f40ff4a9b77ff438b092328a609cae9ebe61595fb55bbfc6914b0
-
Filesize
181KB
MD5e9c2bc594e99b189442e1ba1354dc24b
SHA103dad0b158fd8465f0c0fa17e5cc86d1f146d6f2
SHA2560cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623
SHA5124bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79