Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:16
Static task
static1
Behavioral task
behavioral1
Sample
81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
-
Size
752KB
-
MD5
81c647da331f5ff778e901589cfaec68
-
SHA1
3338b0d1ef3aed4685d12e3ff136357c264c2e2c
-
SHA256
1c34911853772725511ac05ec32b06a1cc84a1a44c7781281e512cc92ef80ca8
-
SHA512
f86be632a6922541fad9118b38863256f25725470887db82f616331ebb729be73441761f2e6c61ab553a9cb3fcc06c603c1557a5c231e8048dc032fdb94fb691
-
SSDEEP
12288:B2AHzYq9e9ks1yMMcU45uNqJbrfBS3EU9LE0kVRi7TlcNKjsaE7pQ/qLJ48:ceYqUys1lCqJbzBST405xHxE7pyqLm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 winlogin.exe -
Loads dropped DLL 2 IoCs
pid Process 2852 cmd.exe 2852 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\system32\\winlogin.exe\"" 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winlogin.exe 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winlogin.exe 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2728 winlogin.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2852 2936 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2852 2936 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2852 2936 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2852 2936 81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe 30 PID 2852 wrote to memory of 2728 2852 cmd.exe 32 PID 2852 wrote to memory of 2728 2852 cmd.exe 32 PID 2852 wrote to memory of 2728 2852 cmd.exe 32 PID 2852 wrote to memory of 2728 2852 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /cC:\Windows\system32\winlogin.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\winlogin.exeC:\Windows\system32\winlogin.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
752KB
MD581c647da331f5ff778e901589cfaec68
SHA13338b0d1ef3aed4685d12e3ff136357c264c2e2c
SHA2561c34911853772725511ac05ec32b06a1cc84a1a44c7781281e512cc92ef80ca8
SHA512f86be632a6922541fad9118b38863256f25725470887db82f616331ebb729be73441761f2e6c61ab553a9cb3fcc06c603c1557a5c231e8048dc032fdb94fb691