Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
-
Size
117KB
-
MD5
a79f2947edc9daf185253fdd3dee4f74
-
SHA1
75abfcd09f0076697f58ccd02f3ed22f2e501cee
-
SHA256
725f6f3f86f718c4c170d09c687b9aef6e7caaceadf67230e1065197e0c3cc22
-
SHA512
c5d99453726dacd79ddbc1c57d67314aa1d68ac2d25990a576f5a3dfd1a65b2d163722450cbeb6097da6082269ec9828694a4fbc3a74d602344ccc045e2692a4
-
SSDEEP
1536:uzpoGDl31C8f6SOvaLzX+aXGrj9KABF9SPRFHquxMJOjvSaABsDAwvpKbKQ7LGuS:if6SOozOaXGrjdSP9EaA0ByKQ7Oj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2140 Fqobua.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\2SPI9KEA4C = "C:\\Windows\\Fqobua.exe" Fqobua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File created C:\Windows\Fqobua.exe a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File opened for modification C:\Windows\Fqobua.exe a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqobua.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main Fqobua.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\International Fqobua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe 2140 Fqobua.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2356 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 2140 Fqobua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2140 2356 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2140 2356 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2140 2356 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2140 2356 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\Fqobua.exeC:\Windows\Fqobua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5a79f2947edc9daf185253fdd3dee4f74
SHA175abfcd09f0076697f58ccd02f3ed22f2e501cee
SHA256725f6f3f86f718c4c170d09c687b9aef6e7caaceadf67230e1065197e0c3cc22
SHA512c5d99453726dacd79ddbc1c57d67314aa1d68ac2d25990a576f5a3dfd1a65b2d163722450cbeb6097da6082269ec9828694a4fbc3a74d602344ccc045e2692a4
-
Filesize
372B
MD5d283758972a8909edb6e0103b8fff004
SHA19f31452b21b6efec39cdb6ab8d05491b5b3aa8ce
SHA2566e38f9ab7a3ffa78edf8fb30062df1be5dcf540fb89e438a76386efcd810cf47
SHA51267e757315a53c758280c32217f1b84663b0ac34d1e8266b6805fcc8ca80bf339f8333fa723eccdf16b6759d4bf7403e5a93f2e241ef9864772dfe04ec7aee404