Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 04:10
Static task
static1
Behavioral task
behavioral1
Sample
a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe
-
Size
63KB
-
MD5
a9882ca9f29376841c49f8a91ae86587
-
SHA1
9e96d6cca40be887a6c80d989ba10c30aefe28f6
-
SHA256
4781180a4d0419f1b9ce5c0f2598dfd08082585da5493ec6978e7bd3e0de8bd0
-
SHA512
2e29619773abfa3dfb7922c167a1e79e1855bc2cbd41d81b984ce7952f76775db676f743147019ea49ac4e788dd46f2921f75402e231f348e0d76d24668454b5
-
SSDEEP
1536:Pg7vBBJpwzRmfpCxQLMc8zvG8oaPJ7TFf0pobN8a:Pg7vBjpwzRKtAVTRjZTWpobX
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360\Parameters\ServiceDll = "C:\\Windows\\system32\\360.dll" rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2328 notepad.exe -
Loads dropped DLL 4 IoCs
pid Process 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 2896 rundll32.exe 2920 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\360.dll rundll32.exe File created C:\Windows\SysWOW64\360.dll rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\notepad.exe a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\notepad.exe a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2328 notepad.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2328 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 29 PID 2992 wrote to memory of 2328 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 29 PID 2992 wrote to memory of 2328 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 29 PID 2992 wrote to memory of 2328 2992 a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe 29 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30 PID 2328 wrote to memory of 2896 2328 notepad.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files (x86)\Common Files\notepad.exe"C:\Program Files (x86)\Common Files\notepad.exe" C:\Users\Admin\AppData\Local\Temp\a9882ca9f29376841c49f8a91ae86587_JaffaCakes118.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\EE16.tmp" "8A'+ [=[SCMR'8[='U"3⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5b8c1a0a0b6e5482bdc459e854534631d
SHA15ce40a94901e2b74cb5cbf46485bd5502ec73d00
SHA256e672d709bb5a8da3e7a0c3b6fdee2bc658354dd14fb7a229d3594e3eca2ac71f
SHA5125cce16e4d605412c295b9778ad7db2846804f542af4bb06a8e84a8874b493d9973cdab1bd69469c2fb9f38aa8a3f9023277c14464efb593bb2bdddda87d4e2c8
-
Filesize
63KB
MD5a9882ca9f29376841c49f8a91ae86587
SHA19e96d6cca40be887a6c80d989ba10c30aefe28f6
SHA2564781180a4d0419f1b9ce5c0f2598dfd08082585da5493ec6978e7bd3e0de8bd0
SHA5122e29619773abfa3dfb7922c167a1e79e1855bc2cbd41d81b984ce7952f76775db676f743147019ea49ac4e788dd46f2921f75402e231f348e0d76d24668454b5