Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe
-
Size
129KB
-
MD5
a6601396632bad6bd3aa07b7258426ed
-
SHA1
f866a1fcef43fa20b05f21cae9862aac2f3e57d7
-
SHA256
410c9c7bde0827f0b59ae71b87efa4826484575ed12e4b3904b1d22df18d6de4
-
SHA512
22c7f685da05d6f36171c88837473bcb3b829abc02e2e8f76ac105c85acefd2c25f402e6f34b979d2d70927fc86cc845d5db4f73c34aa181fca50c627add8eb3
-
SSDEEP
3072:s6K4roryHyyPpuSRvBPNEO51d3fKqKs9mUqOmFBf9jjD2F4Pe:s6wr0u2BP551lCqpmUZmf126
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3064 Bcihoa.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Bcihoa.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe File created C:\Windows\Bcihoa.exe a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe File opened for modification C:\Windows\Bcihoa.exe a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Bcihoa.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcihoa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main Bcihoa.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\International Bcihoa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe 3064 Bcihoa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3064 2584 a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe 30 PID 2584 wrote to memory of 3064 2584 a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe 30 PID 2584 wrote to memory of 3064 2584 a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe 30 PID 2584 wrote to memory of 3064 2584 a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6601396632bad6bd3aa07b7258426ed_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\Bcihoa.exeC:\Windows\Bcihoa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5a6601396632bad6bd3aa07b7258426ed
SHA1f866a1fcef43fa20b05f21cae9862aac2f3e57d7
SHA256410c9c7bde0827f0b59ae71b87efa4826484575ed12e4b3904b1d22df18d6de4
SHA51222c7f685da05d6f36171c88837473bcb3b829abc02e2e8f76ac105c85acefd2c25f402e6f34b979d2d70927fc86cc845d5db4f73c34aa181fca50c627add8eb3
-
Filesize
372B
MD5b6de83a2295e22e284ac4f88299135a3
SHA12d054ea4322a9aebc85d000bbdd79fa404590fa6
SHA25651a4306e57c962587b86df049a51873ee79d90e3512d57d667234687fab6abf3
SHA5121b083f1fa4d35d546b554c1101592a0e2531de6d37e2903b3968c2594cc5616c9c86e3ebe73d50ad0124c3774d8b3d42c65ae5cda1a7839de5f61ab2c7b7339b