Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 11:30

General

  • Target

    95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe

  • Size

    770KB

  • MD5

    95eafe2e170e3e4b48dc6ab2feca4ac5

  • SHA1

    6cc6c85a88ad4271889bbace796abf0e10def2d8

  • SHA256

    0b21cf7b24d2b00745891dd621b1e2aaca668c19ba582b02af6cafac82e6d79d

  • SHA512

    4e1c25880e4d89f002fbc34155b6c5cad6e37101cf5a071d23cf1253aa1753a915e9fcb80fd572f4b61d66b87cf96afcd9ff2a78d236b1a40c36d2158c60ebd3

  • SSDEEP

    12288:sumtG1ioO6YP1loHqyGsb7mvqX/QnuCDPb/kEQ3w01RFYuR/qBXLl2j:sTG1i7gqyGsuWYnuqj/rQ3d1RGXB7l

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KERNEL~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KERNEL~1.EXE
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 440
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\KERNEL~1.EXE

    Filesize

    253KB

    MD5

    32e6f0240604951df67fd058c41a8d9d

    SHA1

    1ee0bdd45d4ef846b7c8ac429a11c32db817d13e

    SHA256

    b98d6fad7ff58cbd4e5e7b4c68f9868525e2c7779bf0aa8a7de0864b72e610bc

    SHA512

    c828d9e53a684443fbf5712504b27cfdfba3daadec09df60af754d070585ddeb96960be4731f375d8ce938d9af95e11dd0df975bb2bbdd004ab75beef0c0f11c

  • memory/2156-9-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

  • memory/2156-21-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

  • memory/2156-24-0x0000000000240000-0x00000000002BE000-memory.dmp

    Filesize

    504KB

  • memory/2536-6-0x0000000000D60000-0x0000000000DDE000-memory.dmp

    Filesize

    504KB

  • memory/2536-22-0x0000000000D60000-0x0000000000DDE000-memory.dmp

    Filesize

    504KB