Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 06:08

General

  • Target

    ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    ae22b1110abb73934484f09ba1eb5908

  • SHA1

    658dccb54121935afd0d59dcf74a5f8a84d63c8b

  • SHA256

    68087813622b66eb7e03679ae9015d6098fc4aea131eff8d0ee93344f818b38a

  • SHA512

    92ff2983d011b8d61c1322d10d124ac3b47df81e1e9056167b13bb92864b0440d62de5bcd5a4f7d66c209b0bd8e26ae117dd0cb426ba0b3f4ccbd4010f8f000b

  • SSDEEP

    384:Aees2vD+SqfPk8UWlJEfuzHAFCgIN3wx1M1Uy0LBCf/1AJIwCF9UKDb:Afs2qSqfFBPEfmEIN3SMWyp/cpE9Uo

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\Deletedll.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~22.tmp

    Filesize

    10KB

    MD5

    1b041b89de8730ce73a81ca00bd4396f

    SHA1

    7a987eec8d58bb26d30ab48b3a81c78f89410cdc

    SHA256

    5b9109d0adf77e886f40f3f28ab12caa4253ec2ad79b886eaca45a88fee98225

    SHA512

    247e6614f1c81ae11e111fe6b8f6f3acb415253bb5a4e13cf9700effc020a32c7d4148eb86cc77cf492175427edc12d20e1ec919e5134fd777fe7d7085d6a940

  • C:\Windows\SysWOW64\Deletedll.bat

    Filesize

    126B

    MD5

    b0747c5e5c13377d9cef3a17590642cd

    SHA1

    e36202056e3ad7bb63e33f015e629c2b1e80eee2

    SHA256

    1e78468d173face431392b2265e6de5908c6a570166e7e26924532accb05715e

    SHA512

    803ca37fcf3e5ccb0a30b7f05867bbf3213936884058ac4022d50ada9377eaf85590dc1cc2d1b1cd7f3278f6dd109879799c1325ff075f72a819ab98420a611c

  • memory/2448-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2448-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2448-21-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB