Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 17:24 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe
Resource
win7-20240705-en
4 signatures
150 seconds
General
-
Target
a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe
-
Size
38KB
-
MD5
a78d34028798c3330a9994d15f0ac4f9
-
SHA1
6ea1c4e567bcb1661678bee83cde9aa0cc1152b3
-
SHA256
29addb702e0442e6c4ff9db365c630a3d5451a22b974a14c0aa1ddd58e2a2cf1
-
SHA512
37d62372176bb46b54df373512f9b810ad168c04328f71fd575035d12f471496b0e51ad3d787cc75cca47ec463540fa740ead8197d08c985e113566b0f800c88
-
SSDEEP
768:VFp2g6eDrbTuATuoqOIRdP0lGDOCokiwpxZiqWH9dj14:rp2g6gTjTuoqJRdP0sKQDpBY
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1724-5-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1724-3-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1724-1-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31 PID 3048 wrote to memory of 1724 3048 a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\a78d34028798c3330a9994d15f0ac4f9_JaffaCakes118.exe2⤵PID:1724
-