Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 23:09
Behavioral task
behavioral1
Sample
a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe
-
Size
134KB
-
MD5
a04f107883bc6e01a249e8e155c88818
-
SHA1
890b7e58238e7e335b0505bc7869abe59efdfdf1
-
SHA256
6693722ed2f194ec8fd414564162820fca3f9533cb2c3eaba3889683102c5d70
-
SHA512
c58d2fee1fc27af306959dfce199bb5596025a2f66e93ea2d979b255bd48be7e75d57dd83b218b14e35148ced221b41bbbba4a902a4740e2a94fa8337f8ee567
-
SSDEEP
3072:OgftEpw7GtewNcxvuAOYS76M7dLEIPOwPCZTHOUs/7cVN4/:OetYIxwjYMJ4fICZr3s/Yvq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1300 Ghedua.exe -
resource yara_rule behavioral1/memory/1572-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00080000000170f2-8.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Z7HRPUZG3M = "C:\\Windows\\Ghedua.exe" Ghedua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe File created C:\Windows\Ghedua.exe a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe File opened for modification C:\Windows\Ghedua.exe a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghedua.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main Ghedua.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\International Ghedua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe 1300 Ghedua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1300 1572 a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe 30 PID 1572 wrote to memory of 1300 1572 a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe 30 PID 1572 wrote to memory of 1300 1572 a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe 30 PID 1572 wrote to memory of 1300 1572 a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a04f107883bc6e01a249e8e155c88818_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\Ghedua.exeC:\Windows\Ghedua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5a04f107883bc6e01a249e8e155c88818
SHA1890b7e58238e7e335b0505bc7869abe59efdfdf1
SHA2566693722ed2f194ec8fd414564162820fca3f9533cb2c3eaba3889683102c5d70
SHA512c58d2fee1fc27af306959dfce199bb5596025a2f66e93ea2d979b255bd48be7e75d57dd83b218b14e35148ced221b41bbbba4a902a4740e2a94fa8337f8ee567
-
Filesize
372B
MD55667064a6f85242fb8971b7e91b6eeab
SHA105e7dbc013fd45b536da1dd70fffd006d203be88
SHA2563fa2df5d7c5822ba57a5d273bc3a00937ba00a79c9937292a239add6563ef265
SHA512556027b07088530a0bce179a9f6a3cc4bdd53e736087f4815c5c76b86809732a4ef8f53cfef946d9c6b01be06b48bbd1f919e2a1cad04f7db0e240cd23c2aa3e