Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 07:09
Static task
static1
Behavioral task
behavioral1
Sample
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
-
Size
262KB
-
MD5
89753d8050a2a41c24f85dd57b0a5a72
-
SHA1
8cb52e457c31bd78c157e7305941135c0db4294f
-
SHA256
f18bd979ea4eb2d374bef76270bc02ac31955bd421b911864ded3b2ccae2fb20
-
SHA512
dc788a715ba4b0ee4cf8450c7ee1e93d3b8b7cf10bb6968c62f7cce141e3bbe63c18feae29f52e590d3b2c27fdc0fc23544de1785b0bd980c882a4742c885230
-
SSDEEP
6144:iS8Gp+df0afmVTRMd/dpn94sLrNXel9Ab98+MA7U:F8YkfXf4TRMx94svNuzAb9ZC
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2764 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
kiab.exepid process 1112 kiab.exe -
Loads dropped DLL 1 IoCs
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exepid process 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kiab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7D4B5FC8-1892-AD4F-C2C5-7543D4B4565E} = "C:\\Users\\Admin\\AppData\\Roaming\\Otoro\\kiab.exe" kiab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exedescription pid process target process PID 1816 set thread context of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
kiab.exepid process 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe 1112 kiab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe Token: SeSecurityPrivilege 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe Token: SeSecurityPrivilege 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exekiab.exepid process 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe 1112 kiab.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exekiab.exedescription pid process target process PID 1816 wrote to memory of 1112 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe kiab.exe PID 1816 wrote to memory of 1112 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe kiab.exe PID 1816 wrote to memory of 1112 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe kiab.exe PID 1816 wrote to memory of 1112 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe kiab.exe PID 1112 wrote to memory of 1152 1112 kiab.exe taskhost.exe PID 1112 wrote to memory of 1152 1112 kiab.exe taskhost.exe PID 1112 wrote to memory of 1152 1112 kiab.exe taskhost.exe PID 1112 wrote to memory of 1152 1112 kiab.exe taskhost.exe PID 1112 wrote to memory of 1152 1112 kiab.exe taskhost.exe PID 1112 wrote to memory of 1268 1112 kiab.exe Dwm.exe PID 1112 wrote to memory of 1268 1112 kiab.exe Dwm.exe PID 1112 wrote to memory of 1268 1112 kiab.exe Dwm.exe PID 1112 wrote to memory of 1268 1112 kiab.exe Dwm.exe PID 1112 wrote to memory of 1268 1112 kiab.exe Dwm.exe PID 1112 wrote to memory of 1296 1112 kiab.exe Explorer.EXE PID 1112 wrote to memory of 1296 1112 kiab.exe Explorer.EXE PID 1112 wrote to memory of 1296 1112 kiab.exe Explorer.EXE PID 1112 wrote to memory of 1296 1112 kiab.exe Explorer.EXE PID 1112 wrote to memory of 1296 1112 kiab.exe Explorer.EXE PID 1112 wrote to memory of 2040 1112 kiab.exe DllHost.exe PID 1112 wrote to memory of 2040 1112 kiab.exe DllHost.exe PID 1112 wrote to memory of 2040 1112 kiab.exe DllHost.exe PID 1112 wrote to memory of 2040 1112 kiab.exe DllHost.exe PID 1112 wrote to memory of 2040 1112 kiab.exe DllHost.exe PID 1112 wrote to memory of 1816 1112 kiab.exe 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe PID 1112 wrote to memory of 1816 1112 kiab.exe 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe PID 1112 wrote to memory of 1816 1112 kiab.exe 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe PID 1112 wrote to memory of 1816 1112 kiab.exe 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe PID 1112 wrote to memory of 1816 1112 kiab.exe 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe PID 1816 wrote to memory of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1152
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1268
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Roaming\Otoro\kiab.exe"C:\Users\Admin\AppData\Roaming\Otoro\kiab.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c0a8732.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2764
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5e6618befc4d6c31e4aebf8f16a07f67e
SHA16566be472dadd232e84d11aedb027f860371c8e6
SHA25688b634375c6b9a90b320f8a4e6a7411f6b41f07058bf008506105e8cd6cf5ac5
SHA51220684674db0ff769bc0404d466d7ab1e3cd5f4ef6aef2bf5811d0118568021adf7d4002d367c2ae275cdecd2da411da751da7f671cc26b593e8f50bc9b50c9d8
-
Filesize
380B
MD58db16aee742605b384936b28c81693b4
SHA1903418c6721ea33af5469d07aaddb55c40f68112
SHA256121a02c16b3b40f8970fb7912e9ae7d5b742383ec04ecd87fa0e03aa250cedf6
SHA512bd7d5bea02f6155b20136c144cb154e4973549fbebadd881edd3ec8873ec86819b467cbb6c7d37ec95d34f77a10d6b0acea6f20a23e0082eb6ea003645f28e87
-
Filesize
262KB
MD5adf4eb6d72cb2b37111f764a5fd56463
SHA1370a956cd66aa08f398825b2a5c30449a760d270
SHA2567e1b1dac037b77ac1f4e575e69ef07a709a186b6392640edd3f4518d725ece78
SHA51206d9a85912ba4cfb308c63a7d70c670ded0c780d9978d8c7547f2ec2dda9f0959744d866df12cb52582a0bb86b57a47e603d2db4aac417bdbced646eb65b984d