Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 03:15
Static task
static1
Behavioral task
behavioral1
Sample
a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe
-
Size
380KB
-
MD5
a52d0c834a09cc7efdfe374ee2f4f90e
-
SHA1
5957da57c40aef542a52d07df04501f74b631bdb
-
SHA256
aaf00e1348307208d3415f629193cdf125171170a32a8cdeb140e8373d079714
-
SHA512
e99e1429dcac7398473cecb4a63cce2ac1b0bccb2f4dd284e38c1ca16dac21d0d6552c886604c87fe79590274ea821734faf874639f873883a75e0d4d5a247e8
-
SSDEEP
6144:hBUl1fcf0Tv2sbP6mSPmFFLmlrqQroarJ0zUWZyzhX:Q79vnz6mSQYxkarJaZyzh
Malware Config
Extracted
asyncrat
0.5.7B
Default
severdops.ddns.net:6204
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2836 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 31 PID 1544 wrote to memory of 2836 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 31 PID 1544 wrote to memory of 2836 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 31 PID 1544 wrote to memory of 2836 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 31 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33 PID 1544 wrote to memory of 2936 1544 a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eKLGqzBRYkTEB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D9C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a52d0c834a09cc7efdfe374ee2f4f90e_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD515dc6770830c1a0bca362e56e4badcfc
SHA10c16d8ef7bf73ab68040f34146830548c33d5cf9
SHA256da4f19953799f9f92bf97fab9297b7744f19f0fac14f818fad936a7369e1092a
SHA512ae6cc97c34bad437d03bb35c0cc8dcec12ee64109ddadd9139ea8a789b74446db9945962dab92729b02c1bced5e457cd350db36f6425a069887aa75de0d85fe1