Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe
-
Size
24KB
-
MD5
ae22b1110abb73934484f09ba1eb5908
-
SHA1
658dccb54121935afd0d59dcf74a5f8a84d63c8b
-
SHA256
68087813622b66eb7e03679ae9015d6098fc4aea131eff8d0ee93344f818b38a
-
SHA512
92ff2983d011b8d61c1322d10d124ac3b47df81e1e9056167b13bb92864b0440d62de5bcd5a4f7d66c209b0bd8e26ae117dd0cb426ba0b3f4ccbd4010f8f000b
-
SSDEEP
384:Aees2vD+SqfPk8UWlJEfuzHAFCgIN3wx1M1Uy0LBCf/1AJIwCF9UKDb:Afs2qSqfFBPEfmEIN3SMWyp/cpE9Uo
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Deletedll.bat ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2724 2448 ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2724 2448 ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2724 2448 ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2724 2448 ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae22b1110abb73934484f09ba1eb5908_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deletedll.bat2⤵
- System Location Discovery: System Language Discovery
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD51b041b89de8730ce73a81ca00bd4396f
SHA17a987eec8d58bb26d30ab48b3a81c78f89410cdc
SHA2565b9109d0adf77e886f40f3f28ab12caa4253ec2ad79b886eaca45a88fee98225
SHA512247e6614f1c81ae11e111fe6b8f6f3acb415253bb5a4e13cf9700effc020a32c7d4148eb86cc77cf492175427edc12d20e1ec919e5134fd777fe7d7085d6a940
-
Filesize
126B
MD5b0747c5e5c13377d9cef3a17590642cd
SHA1e36202056e3ad7bb63e33f015e629c2b1e80eee2
SHA2561e78468d173face431392b2265e6de5908c6a570166e7e26924532accb05715e
SHA512803ca37fcf3e5ccb0a30b7f05867bbf3213936884058ac4022d50ada9377eaf85590dc1cc2d1b1cd7f3278f6dd109879799c1325ff075f72a819ab98420a611c