Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
87714b15eb7db64a86037054d76195b0
-
SHA1
94e68f702a948186728b4ad99fdbebbd5191f5d5
-
SHA256
4976016eee1baa3c09807c9b2e4594ee82cb5a0347684b03fa76bf07a40b8cf0
-
SHA512
cdfb687a07b2ed6c96193fc58cad210ac3abf09bab3d859e7b716afff28fd330d2ea33704487261f94a3fe6e0da36083d959520897188c247ddfbdf6373c134d
-
SSDEEP
24576:nq27sABdEq3Zo4o3DOdQ2KgOEIh27fUoAGXnq3Htj/VsHOo/:rV3ZWUIh0UoAG63H5+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2688 23569025.exe -
Loads dropped DLL 5 IoCs
pid Process 2788 cmd.exe 2788 cmd.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23569025 = "C:\\PROGRA~3\\23569025\\23569025.exe" 23569025.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23569025 = "C:\\ProgramData\\23569025\\23569025.exe" 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23569025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 23569025.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe 2688 23569025.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2804 2240 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2804 2240 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2804 2240 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2804 2240 87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe 30 PID 2804 wrote to memory of 2788 2804 cmd.exe 32 PID 2804 wrote to memory of 2788 2804 cmd.exe 32 PID 2804 wrote to memory of 2788 2804 cmd.exe 32 PID 2804 wrote to memory of 2788 2804 cmd.exe 32 PID 2788 wrote to memory of 2688 2788 cmd.exe 33 PID 2788 wrote to memory of 2688 2788 cmd.exe 33 PID 2788 wrote to memory of 2688 2788 cmd.exe 33 PID 2788 wrote to memory of 2688 2788 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\23569025\23569025.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\PROGRA~3\23569025\23569025.exe /i3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\PROGRA~3\23569025\23569025.exeC:\PROGRA~3\23569025\23569025.exe /i4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD587714b15eb7db64a86037054d76195b0
SHA194e68f702a948186728b4ad99fdbebbd5191f5d5
SHA2564976016eee1baa3c09807c9b2e4594ee82cb5a0347684b03fa76bf07a40b8cf0
SHA512cdfb687a07b2ed6c96193fc58cad210ac3abf09bab3d859e7b716afff28fd330d2ea33704487261f94a3fe6e0da36083d959520897188c247ddfbdf6373c134d
-
Filesize
230B
MD5ac67272f63573ccdab538bd21c654124
SHA1ff38b8a03ceb1326834e7d75e995b25552b7a61f
SHA256fdede40551e44939a0382bbe35b77f4e0307a5e05bd4b6341b498889a61c995e
SHA5126c045f34d386ccf1844184a4ebfc3d0c0d8510556beac7c6e4abf3944040c5254be345e043ada321bba257e6f8fd099f9d77b0b347d28ae137e07fcde4440919