Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/08/2024, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe
-
Size
224KB
-
MD5
8e28fdf1a5d189b7ecfa139389f69a6d
-
SHA1
65704c95aa8197879de89ff0461497f8891e46aa
-
SHA256
970fc37e5e65af9ae80359beea60b00d37b885f2a85dca46dfac66e2f60b5df4
-
SHA512
251215b75e702bc40ad8288861d9424c332b26c748bc19b8433ce41047cf41c5a7058a4f35b5df9a2e11998cb213725b044d6f9e2cb61cc9e0ad87a8bc2bdb56
-
SSDEEP
3072:6yCIh+ZmfSfL5mOSin7sJ+koykxgNkwQrPC705I50zHevc8oigMrJd3CFRa3Od:Yx9mOSinQJ+1dLwYaUZzgNgMEae
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1736 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2724 ytotyiaco.exe -
Loads dropped DLL 3 IoCs
pid Process 1736 cmd.exe 1736 cmd.exe 2724 ytotyiaco.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytotyiaco.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1736 cmd.exe 2860 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 2992 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2860 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2992 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1736 2092 8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe 31 PID 2092 wrote to memory of 1736 2092 8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe 31 PID 2092 wrote to memory of 1736 2092 8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe 31 PID 2092 wrote to memory of 1736 2092 8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe 31 PID 1736 wrote to memory of 2992 1736 cmd.exe 33 PID 1736 wrote to memory of 2992 1736 cmd.exe 33 PID 1736 wrote to memory of 2992 1736 cmd.exe 33 PID 1736 wrote to memory of 2992 1736 cmd.exe 33 PID 1736 wrote to memory of 2860 1736 cmd.exe 35 PID 1736 wrote to memory of 2860 1736 cmd.exe 35 PID 1736 wrote to memory of 2860 1736 cmd.exe 35 PID 1736 wrote to memory of 2860 1736 cmd.exe 35 PID 1736 wrote to memory of 2724 1736 cmd.exe 36 PID 1736 wrote to memory of 2724 1736 cmd.exe 36 PID 1736 wrote to memory of 2724 1736 cmd.exe 36 PID 1736 wrote to memory of 2724 1736 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2092 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8e28fdf1a5d189b7ecfa139389f69a6d_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\YTOTYI~1.EXE -f2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 20923⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Users\Admin\AppData\Local\ytotyiaco.exeC:\Users\Admin\AppData\Local\YTOTYI~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD58e28fdf1a5d189b7ecfa139389f69a6d
SHA165704c95aa8197879de89ff0461497f8891e46aa
SHA256970fc37e5e65af9ae80359beea60b00d37b885f2a85dca46dfac66e2f60b5df4
SHA512251215b75e702bc40ad8288861d9424c332b26c748bc19b8433ce41047cf41c5a7058a4f35b5df9a2e11998cb213725b044d6f9e2cb61cc9e0ad87a8bc2bdb56