Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe
-
Size
770KB
-
MD5
95eafe2e170e3e4b48dc6ab2feca4ac5
-
SHA1
6cc6c85a88ad4271889bbace796abf0e10def2d8
-
SHA256
0b21cf7b24d2b00745891dd621b1e2aaca668c19ba582b02af6cafac82e6d79d
-
SHA512
4e1c25880e4d89f002fbc34155b6c5cad6e37101cf5a071d23cf1253aa1753a915e9fcb80fd572f4b61d66b87cf96afcd9ff2a78d236b1a40c36d2158c60ebd3
-
SSDEEP
12288:sumtG1ioO6YP1loHqyGsb7mvqX/QnuCDPb/kEQ3w01RFYuR/qBXLl2j:sTG1i7gqyGsuWYnuqj/rQ3d1RGXB7l
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
KERNEL~1.EXEdescription ioc process File created C:\Windows\SysWOW64\Drivers\KeDetective131.sys KERNEL~1.EXE -
Executes dropped EXE 1 IoCs
Processes:
KERNEL~1.EXEpid process 2156 KERNEL~1.EXE -
Loads dropped DLL 9 IoCs
Processes:
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exeKERNEL~1.EXEWerFault.exepid process 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe 2156 KERNEL~1.EXE 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2148 2156 WerFault.exe KERNEL~1.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exeKERNEL~1.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KERNEL~1.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KERNEL~1.EXEdescription pid process Token: SeDebugPrivilege 2156 KERNEL~1.EXE Token: SeLoadDriverPrivilege 2156 KERNEL~1.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exeKERNEL~1.EXEdescription pid process target process PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2536 wrote to memory of 2156 2536 95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe KERNEL~1.EXE PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe PID 2156 wrote to memory of 2148 2156 KERNEL~1.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95eafe2e170e3e4b48dc6ab2feca4ac5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KERNEL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KERNEL~1.EXE2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 4403⤵
- Loads dropped DLL
- Program crash
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD532e6f0240604951df67fd058c41a8d9d
SHA11ee0bdd45d4ef846b7c8ac429a11c32db817d13e
SHA256b98d6fad7ff58cbd4e5e7b4c68f9868525e2c7779bf0aa8a7de0864b72e610bc
SHA512c828d9e53a684443fbf5712504b27cfdfba3daadec09df60af754d070585ddeb96960be4731f375d8ce938d9af95e11dd0df975bb2bbdd004ab75beef0c0f11c