Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
-
Size
635KB
-
MD5
8bba0456bb93b66f2d4a744369d81fc6
-
SHA1
99e1c9bc408ace92281ee0c76d01d717aa123fc9
-
SHA256
83480fca34ddd3ed41e47f3e9df56af9335ee7e1ac2fa294f462eefaefab2e7c
-
SHA512
503260e4add00fb5248c8a1517013c418f8dfc5da2ec9e1911de9fabd5624edd88caae745cd615543479e5d89d10b2ab43df97180c89b968509819316a56ce79
-
SSDEEP
12288:SDwcSW0JXwcb8IDZtQAGYMPRZqF3Z4mxxpDqVTVOCe:+wXWQTb8IDZtQAGYMOQmXAVTze
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3788 Hacker -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe File opened for modification C:\Windows\Hacker 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe File created C:\Windows\uninstal.bat 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 452 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe Token: SeDebugPrivilege 3788 Hacker -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3788 Hacker -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 452 wrote to memory of 2144 452 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe 90 PID 452 wrote to memory of 2144 452 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe 90 PID 452 wrote to memory of 2144 452 8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\HackerC:\Windows\Hacker1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635KB
MD58bba0456bb93b66f2d4a744369d81fc6
SHA199e1c9bc408ace92281ee0c76d01d717aa123fc9
SHA25683480fca34ddd3ed41e47f3e9df56af9335ee7e1ac2fa294f462eefaefab2e7c
SHA512503260e4add00fb5248c8a1517013c418f8dfc5da2ec9e1911de9fabd5624edd88caae745cd615543479e5d89d10b2ab43df97180c89b968509819316a56ce79
-
Filesize
218B
MD573359095e96bf9c7e804971380a119d5
SHA1f868c51fb7412373c20f52a3d96657150385b433
SHA256e2cc17428d5abe8db07f5e176708d08d4f83fa466e1d8f31ba1f146d02811c26
SHA5126aff500736468d1e159de6300eb8821aedf41a0f24963d10a03afc83fdd793d3e61e9f51554cd9605cf75b3bd87509dab68283928e249c12cc3d7535842ef0aa