Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
14/08/2024, 11:57
General
-
Target
9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe
-
Size
44KB
-
MD5
9602303e09b6d71564f1c7f2798bcefb
-
SHA1
1465dfd3d0b6d2fd1026d427fdd771f7cc5baf5d
-
SHA256
36b36af7a1bb9dac92c33ce73545b2d6b7991147669d8ee52be41a4292fb062d
-
SHA512
86e40951ebf499a4f7ae3372b18b4f2c08e528b726cd3ff940caf0f7804343a23ad17ae54dc320b780deb3153cb726b1123ffc14995d6f86d0f74ac7e39931b9
-
SSDEEP
768:hConZrk9TA9n8MLJajJN6tVqqBLWKg/S7yHTOfWzL8zF21IFPfpTrZNXohVR:YoeAeMokNe/S7bfWqF/BhTdNXa
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 39 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\opeF824.exe"C:\Users\Admin\AppData\Local\Temp\opeF824.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\opeF824.exe > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\skswall\skswall.exeC:\Windows\skswall\skswall.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 7442⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD59d6f008959289c199d7f187a1a5aeba3
SHA13e0fa6ec1c7dfb829a15cdcd03ddd3fe77952fc6
SHA25692e8627a15d348d2f5e87dcd1a7b4ea711c1b29c3851a74389c547eb516b55e9
SHA5127c0dd246f113eb8ef033fa4483a70083fc329e7869318699ab1b9ecd733d0b7574fc2851674114bca7a2b183a61d00ba5bc72a665dcb15096cbe821b8fd86a34
-
Filesize
45KB
MD543c73ea2871d383664fb447954b7135b
SHA10ca93d8223037e42243389ac2fd52b16c5eb4b8e
SHA2564cdd50d85d79c65e2b812308eae3e5204c5e99ffe66bf019d5409b93ed032d13
SHA5127b93c3b110aed515f571228edb6923b0c80b89698fb14dc4f53327424e0db3db765b657f191f22385c0a824980c81cdf17aed4e46b6adde8c09d82f54c2581f1
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
40.8MB
-
Filesize
40.8MB