Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe
-
Size
179KB
-
MD5
8437a94ec2f1575a92b9e0120dfd6fee
-
SHA1
8e9b8c5bcb73394b79affee52e6fb747a8ed7d23
-
SHA256
e547ccdbb90d4c82fe83452d3a865e59e82ca3ec36ee622a40877934ffa07f7e
-
SHA512
48df5a485b2d6d1137a7288d67c90f686f1d10d3494c42eeb9ae3af8c7d3e80ae184b57483763d9fe91e1966a6898382c35faa55819d24de2a99d60f19dec04d
-
SSDEEP
3072:H3LEBAHGwuJ6q9VwUw5wi8KVQbeElo1cx0tfJzLClv6Yjw5qm9oJl3HtmSKu:XLE6GHHVwJL5h9JzL0voT9cH
Malware Config
Signatures
-
Loads dropped DLL 9 IoCs
pid Process 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 532 svchost.exe 532 svchost.exe 532 svchost.exe 576 svchost.exe 576 svchost.exe 576 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2808 wrote to memory of 532 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 30 PID 2808 wrote to memory of 532 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 30 PID 2808 wrote to memory of 532 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 30 PID 2808 wrote to memory of 532 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 30 PID 2808 wrote to memory of 576 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 31 PID 2808 wrote to memory of 576 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 31 PID 2808 wrote to memory of 576 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 31 PID 2808 wrote to memory of 576 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 31 PID 2808 wrote to memory of 1172 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 32 PID 2808 wrote to memory of 1172 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 32 PID 2808 wrote to memory of 1172 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 32 PID 2808 wrote to memory of 1172 2808 8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8437a94ec2f1575a92b9e0120dfd6fee_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:532
-
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:576
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1172
-
Network
-
Remote address:8.8.8.8:53Requestnnef9gpy8hegvh.orgIN AResponse
-
Remote address:8.8.8.8:53Requestn038rf9hwj9u0ef.orgIN AResponse
-
Remote address:8.8.8.8:53Requestnr9e8fpuhi89ehf.orgIN AResponse
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae