Analysis
-
max time kernel
144s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe
-
Size
29KB
-
MD5
968c75a95a0374f0eb783a104541bc3c
-
SHA1
fc0301171829a2c2d79d998f4548d57c831c7eb8
-
SHA256
7ef0964cdfe6c09d37a7c2528ffe67f22f271b1ba15f8677444e252d2c8bed00
-
SHA512
e083b7c06ad06565f71b78a6acaf0f6216c7201408b2421ac649ae02497f886f1837477a2804aa8b7bffa0ed4074ff60291e295ba44d8d086dab4e4e6aecc753
-
SSDEEP
768:bkFv1J+LgDuOm/cMnRV2/5pdrxMprMnKlwfcqAO0BY:bkYLYMnR8lr8oyQiOX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1340 MayaBabyMain.exe -
Loads dropped DLL 2 IoCs
pid Process 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 1340 MayaBabyMain.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\SysWOW64\me.bat MayaBabyMain.exe File opened for modification C:\Windows\SysWOW64\me.bat attrib.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp MayaBabyMain.exe File opened for modification C:\Windows\SysWOW64\me.bat attrib.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File created C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat MayaBabyMain.exe File created C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp MayaBabyMain.exe File created C:\Windows\SysWOW64\me.bat 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File created C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat MayaBabyMain.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat MayaBabyMain.exe File created C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File created C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MayaBabyMain.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 1340 MayaBabyMain.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe Token: SeDebugPrivilege 1340 MayaBabyMain.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1340 wrote to memory of 408 1340 MayaBabyMain.exe 95 PID 1340 wrote to memory of 408 1340 MayaBabyMain.exe 95 PID 1340 wrote to memory of 408 1340 MayaBabyMain.exe 95 PID 408 wrote to memory of 1536 408 cmd.exe 97 PID 408 wrote to memory of 1536 408 cmd.exe 97 PID 408 wrote to memory of 1536 408 cmd.exe 97 PID 4692 wrote to memory of 1412 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 98 PID 4692 wrote to memory of 1412 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 98 PID 4692 wrote to memory of 1412 4692 968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe 98 PID 1412 wrote to memory of 4040 1412 cmd.exe 100 PID 1412 wrote to memory of 4040 1412 cmd.exe 100 PID 1412 wrote to memory of 4040 1412 cmd.exe 100 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1536 attrib.exe 4040 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\968c75a95a0374f0eb783a104541bc3c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a C:\Windows\system32\me.bat3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4040
-
-
-
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exeC:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a C:\Windows\system32\me.bat3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1536
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:81⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e06782d0b2624273e49cab6fdfbca003
SHA145b7f58f741733319ff3821a40c71e2d7a9501fc
SHA2566d91811228b0606b45ba00a66a7829bf147dc03a895ec50fe18726d291927d41
SHA512e8d12a7c05de3207fab9c482d63b38671055935ea5ca7c85b0981577414f72743fb44a8cb6f530d4daccb995e13ad3e13f588409c793ee2978decd3c6d2e53c6
-
Filesize
29KB
MD5968c75a95a0374f0eb783a104541bc3c
SHA1fc0301171829a2c2d79d998f4548d57c831c7eb8
SHA2567ef0964cdfe6c09d37a7c2528ffe67f22f271b1ba15f8677444e252d2c8bed00
SHA512e083b7c06ad06565f71b78a6acaf0f6216c7201408b2421ac649ae02497f886f1837477a2804aa8b7bffa0ed4074ff60291e295ba44d8d086dab4e4e6aecc753
-
Filesize
3KB
MD55a2a1a482b3329da4389f48fa53c1c27
SHA11570d0291eeb4963715b6224e425659adb4d7865
SHA256f60b98379ef24d31742a8872f16d8a487f32ca590a364b5594da3f9ce4c07849
SHA5123e161e32660d5a80c11a9517b9b56e102afd8e4527bac989d5229fbc8fe05ad185478a26d0167e91f9148dc3b172c8821bbd585245647501d22708be8d70d538
-
Filesize
105B
MD5449394d4321643e8bdb599cd756d2643
SHA1a927ffd3c12e1ec789200e819284a9989466f647
SHA256645413e352354caf128443f8bc8e541c45ce12e8601ba2aec6bdd63763ee2f0c
SHA512f28b3c9d9c525749abad6138c0b78ed3bdb55459674679fbe384d84882ba9e0541763a2f344ff7d96f6c39c6c61657429e0f06156735bc786e5c1388d1df5072
-
Filesize
144B
MD5f14ab2f525fe97c7f1438355b30c4a41
SHA1baae329e5aa1df3866dcd5f5b0079b4e72346904
SHA256514b3e61220ab5965d34c124ee3e0179ef8ec96a1442919fe79ee2fc21a7b470
SHA5128e051608fc37bfc7c18ddc0b13440fbc35cf496795cf44ce0155ec462438fe6c27fb2c02fbd9dd33461744293ffea7c366ada9bbf76ccabd8b2e4b9150d820fc