Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
-
Size
262KB
-
MD5
7fb15605dccd06a70ae7644062a69114
-
SHA1
3fa5587c045a0e99f2304828e275776154a30ed1
-
SHA256
2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29
-
SHA512
83dda785e21f940a92ab863839130767e15184c83cd828d1778986092c06934a65ae8f81ea32de8b55c129575b3e4f9a8cbe989462fb69664349ee7c8b4c5654
-
SSDEEP
6144:wZ8Gp+df0afmVTRMdVdpn94sLrNXel9Qb98+MARI:w8YkfXf4TRMn94svNuzQb9Zw
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2864 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
iwge.exepid process 2004 iwge.exe -
Loads dropped DLL 1 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exepid process 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
iwge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4A4DE868-6E67-AD4F-A8F7-B67989399564} = "C:\\Users\\Admin\\AppData\\Roaming\\Giov\\iwge.exe" iwge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exedescription pid process target process PID 2452 set thread context of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe -
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
iwge.exepid process 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe 2004 iwge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe Token: SeSecurityPrivilege 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe Token: SeSecurityPrivilege 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exeiwge.exepid process 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe 2004 iwge.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exeiwge.exedescription pid process target process PID 2452 wrote to memory of 2004 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe iwge.exe PID 2452 wrote to memory of 2004 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe iwge.exe PID 2452 wrote to memory of 2004 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe iwge.exe PID 2452 wrote to memory of 2004 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe iwge.exe PID 2004 wrote to memory of 1104 2004 iwge.exe taskhost.exe PID 2004 wrote to memory of 1104 2004 iwge.exe taskhost.exe PID 2004 wrote to memory of 1104 2004 iwge.exe taskhost.exe PID 2004 wrote to memory of 1104 2004 iwge.exe taskhost.exe PID 2004 wrote to memory of 1104 2004 iwge.exe taskhost.exe PID 2004 wrote to memory of 1168 2004 iwge.exe Dwm.exe PID 2004 wrote to memory of 1168 2004 iwge.exe Dwm.exe PID 2004 wrote to memory of 1168 2004 iwge.exe Dwm.exe PID 2004 wrote to memory of 1168 2004 iwge.exe Dwm.exe PID 2004 wrote to memory of 1168 2004 iwge.exe Dwm.exe PID 2004 wrote to memory of 1216 2004 iwge.exe Explorer.EXE PID 2004 wrote to memory of 1216 2004 iwge.exe Explorer.EXE PID 2004 wrote to memory of 1216 2004 iwge.exe Explorer.EXE PID 2004 wrote to memory of 1216 2004 iwge.exe Explorer.EXE PID 2004 wrote to memory of 1216 2004 iwge.exe Explorer.EXE PID 2004 wrote to memory of 496 2004 iwge.exe DllHost.exe PID 2004 wrote to memory of 496 2004 iwge.exe DllHost.exe PID 2004 wrote to memory of 496 2004 iwge.exe DllHost.exe PID 2004 wrote to memory of 496 2004 iwge.exe DllHost.exe PID 2004 wrote to memory of 496 2004 iwge.exe DllHost.exe PID 2004 wrote to memory of 2452 2004 iwge.exe 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe PID 2004 wrote to memory of 2452 2004 iwge.exe 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe PID 2004 wrote to memory of 2452 2004 iwge.exe 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe PID 2004 wrote to memory of 2452 2004 iwge.exe 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe PID 2004 wrote to memory of 2452 2004 iwge.exe 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe PID 2452 wrote to memory of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Roaming\Giov\iwge.exe"C:\Users\Admin\AppData\Roaming\Giov\iwge.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdb9e4c00.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2864
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD51759b4646c41fed22c089add35ba1492
SHA17bf98186e87307716e2f119990b12e074567d042
SHA25676a9e5028c8f84426bdfb8e505807793b2f7c055753ef9b5677d2b2e0a529327
SHA51266ea6550a01846d982cb8ed9400bac498def26458bc7f6c3517dffcdf80142f2d76c6b00741d4f3a328d739f7da61585ee343a87eb8d7a55975d258387fa5816
-
Filesize
380B
MD56fcc85272fc9b642c190edb841c76be2
SHA1dc7a7ee5b979b4fe57c252ae1ce226a2b77256a0
SHA256e2e5666a58e0bd90e4af6387524c9236063dbf8e1a8fbe375dbbbeaf81c2be81
SHA512190231a231698bd3b4725b60d998614bda679ca8c2e7d94aa1c4cdd171dedfcd78e0a9d112e447ab9c17d427b38af576704d790c9fd5e66149d4deb1349295ac
-
Filesize
262KB
MD547ef107c1d1a12fff95fdd1c09445932
SHA1fe684cefb2b06ed2fe9193956c8e267d8aaa1e0b
SHA256ab61380f0a4933eda688101b4722807a2ccb2e99a6eb0c8c23e869b0d9e2351f
SHA5129e3c85347deb1abf7d323a23001ab78ff86e96519f4392223af6d9f54e55ec9fe496372c0421669134d2e63cd5c40fc24d67e3c796eda548b30f14fdccdaf716