Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe
-
Size
276KB
-
MD5
965af3f1da7fd6a63e689ae342485a39
-
SHA1
fc2966118e5fc1fdb173501ddbf057b365e1bf3a
-
SHA256
aec67a93c33daebf8e03da1f6bf12780ac588c146feb206f7f6b0f226ff65623
-
SHA512
7ddfd8365138733e23b8c39deb3c7c96f6291795872c6e4206241a8d90667080d6b40559db3716ce118dd3c0adf5d99f24a23975107850062fa0679d7b5cef94
-
SSDEEP
3072:uKVMNfZoTD8/doTMjo17eiMDaFh043kLbHcsBTsuZfD:uKV+b/KTReiM+2bHzBwuZr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2076 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2476 timxpl.exe -
Loads dropped DLL 2 IoCs
pid Process 2076 cmd.exe 2076 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timxpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2332 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2332 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1460 wrote to memory of 2076 1460 965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2076 1460 965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2076 1460 965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2076 1460 965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2476 2076 cmd.exe 32 PID 2076 wrote to memory of 2476 2076 cmd.exe 32 PID 2076 wrote to memory of 2476 2076 cmd.exe 32 PID 2076 wrote to memory of 2476 2076 cmd.exe 32 PID 2076 wrote to memory of 2332 2076 cmd.exe 33 PID 2076 wrote to memory of 2332 2076 cmd.exe 33 PID 2076 wrote to memory of 2332 2076 cmd.exe 33 PID 2076 wrote to memory of 2332 2076 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ypvjuva.bat2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\timxpl.exe"C:\Users\Admin\AppData\Local\Temp\timxpl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5f8a7abd373685c26b8a6df5fb1e73f82
SHA12bac531c53106e7701f57f98fd984699861f0a01
SHA256de8ea1c280b285f3b79fcfac2eb6070bc2485b66ed13729efe569b1f53f590f4
SHA512c03032d9b407b05db366899dae5e7409c06c550552051320979c41502874039fe093127e29a1f107e66948a85d7592f178e6132628222acb30fbd8208e031a9f
-
Filesize
176KB
MD53ff1b47f2c207004dd3c855265f4a29e
SHA12ba1d4e0b796bbf7912eae6188c7d4296185efba
SHA256cd44038b2fe36d0bedd2d5c32bd375a7f575d22ba99d40993247eb5f4a020e70
SHA512307dc6c7116b0b6cd1e85a63e94b0f71038647adda74f5d09a204efc7451ecc222347bf8bf3cc1b32d4243ad99d7d961c8f22e4ddf8105c1e3920da8a3fc7bb1
-
Filesize
124B
MD59503516a068ef18b8fca53873a113006
SHA1a002d0c3bb85768f7c980a8332f44105a56a03b0
SHA25626bebe3692771e5fb48b1497978273800f798ef7bf7b3d9bf2edf11117bbf7a0
SHA512b943124fa5facc431c07daf37aa06193e2ed1817c75d3b4e5ab8ea915c2aadf88838083f8de9c5b86bc51737aa8d96481ebe9098db386a3428bf3f5e598f5af5