Analysis
-
max time kernel
148s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
adc55eb722f367125e2c340136789543_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
adc55eb722f367125e2c340136789543_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
adc55eb722f367125e2c340136789543_JaffaCakes118.exe
-
Size
12.3MB
-
MD5
adc55eb722f367125e2c340136789543
-
SHA1
a6c0286238dce97d36a6c4497c8536e20a7aafda
-
SHA256
c46673123ec8ecdc19d56d7891852006a9ac65a68ef575a2df5a7cb19798a6e0
-
SHA512
96db07ad69f9a1f52c0b3aaa8ceafbb92f8edb74fb931d3f4565ddba52acec132857437b94b0a24d13872b8466da74eb0ddf4ca7a330cba2479f52a067d5c19e
-
SSDEEP
3072:S1u9x2gBvT/I2+MIGkMTe+RejG1YE5XogzodjJdWpFZ7:S1u9x2gNTwOx4E10R4Z7
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reptile.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\reptile.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\reptile.exe:*:Enabled:Windows Update Manager" reptile.exe -
Executes dropped EXE 7 IoCs
pid Process 1376 Adobe Keygen.exe 2948 reptile.exe 2888 reptile.exe 3028 reptile.exe 2252 iexplorer.exe 2012 iexplorer.exe 2884 iexplorer.exe -
Loads dropped DLL 6 IoCs
pid Process 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 2948 reptile.exe 2888 reptile.exe -
resource yara_rule behavioral1/files/0x00080000000120f9-13.dat upx behavioral1/memory/1376-23-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-61-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-62-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-64-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-66-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-68-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-70-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-72-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-74-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-76-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-78-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-80-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-82-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-84-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-86-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/1376-88-0x0000000000400000-0x0000000000499000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update Manager = "iexplorer.exe" reptile.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 712 set thread context of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 2948 set thread context of 2888 2948 reptile.exe 33 PID 2888 set thread context of 3028 2888 reptile.exe 34 PID 2252 set thread context of 2012 2252 iexplorer.exe 36 PID 2012 set thread context of 2884 2012 iexplorer.exe 37 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\iexplorer.exe reptile.exe File opened for modification C:\Windows\iexplorer.exe reptile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adc55eb722f367125e2c340136789543_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reptile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reptile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adc55eb722f367125e2c340136789543_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reptile.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1376 Adobe Keygen.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 712 wrote to memory of 1972 712 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 30 PID 1972 wrote to memory of 1376 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 31 PID 1972 wrote to memory of 1376 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 31 PID 1972 wrote to memory of 1376 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 31 PID 1972 wrote to memory of 1376 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 31 PID 1972 wrote to memory of 2948 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 32 PID 1972 wrote to memory of 2948 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 32 PID 1972 wrote to memory of 2948 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 32 PID 1972 wrote to memory of 2948 1972 adc55eb722f367125e2c340136789543_JaffaCakes118.exe 32 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2948 wrote to memory of 2888 2948 reptile.exe 33 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 2888 wrote to memory of 3028 2888 reptile.exe 34 PID 3028 wrote to memory of 2252 3028 reptile.exe 35 PID 3028 wrote to memory of 2252 3028 reptile.exe 35 PID 3028 wrote to memory of 2252 3028 reptile.exe 35 PID 3028 wrote to memory of 2252 3028 reptile.exe 35 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2252 wrote to memory of 2012 2252 iexplorer.exe 36 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37 PID 2012 wrote to memory of 2884 2012 iexplorer.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\adc55eb722f367125e2c340136789543_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adc55eb722f367125e2c340136789543_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\adc55eb722f367125e2c340136789543_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adc55eb722f367125e2c340136789543_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\Adobe Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Keygen.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\reptile.exe"C:\Users\Admin\AppData\Local\Temp\reptile.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\reptile.exe"C:\Users\Admin\AppData\Local\Temp\reptile.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\reptile.exe"C:\Users\Admin\AppData\Local\Temp\reptile.exe"5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\iexplorer.exe"C:\Windows\iexplorer.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\iexplorer.exe"C:\Windows\iexplorer.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\iexplorer.exe"C:\Windows\iexplorer.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD58676b828080ebc2e4d678ebc39c8d35d
SHA1978d178307be5838e61f216083a8d87f7a9b2f0c
SHA2560245d0a11c392294dd118a20608b2ef35262f3652a5c84ae9f115bef61330123
SHA512ec693de4be30a997897367943488b951b67eac965ac89b32b0183f614c837cf6238f0c78312e251aeea56a0ce5a81f96f06c01a7074b2826f337345a306a7c81
-
Filesize
52KB
MD57c9a032aa324fe37d8b45096ae0f3ed6
SHA178008b53ffeb7398384ec1d409095bb613911b8d
SHA25609e317b750128b38ed7b07edac6ae3f06f10420eba26f78d18729527cae1e861
SHA5123e55e77369182f4be41d1e83c27c4c12049bb40ca3790784023d5389a17ff95d6a4df992cd312588a371369b2992a6cd516f9217b8aef115a4f868851b441638