Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
21/08/2024, 21:49
General
-
Target
b52ce99e1702fe34ca062c3b85a208d4_JaffaCakes118.exe
-
Size
60KB
-
MD5
b52ce99e1702fe34ca062c3b85a208d4
-
SHA1
0908d73b1d51c163881b59022faa3306eacab22f
-
SHA256
afd8ec548112f3742829f145a51323cc75102fdbd0a4522bc2b772163d242099
-
SHA512
5146b6afc61edf4d55bf11de2b24e73a8bae604f066a6b6c8f0c48163e9cae8803c856cba44de724a71cc776485e12f7bfa70fab1d48e18dd802c17e38b678e2
-
SSDEEP
1536:Ak3eKNkTSdCS1isFqn+kVDX2FrsqtjEieir6rqAXiN3xOJ8yWkh:N3eVT89qzGFrftLorvXiHS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b52ce99e1702fe34ca062c3b85a208d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b52ce99e1702fe34ca062c3b85a208d4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b52ce99e1702fe34ca062c3b85a208d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b52ce99e1702fe34ca062c3b85a208d4_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\service949.exe-n3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\service949.exe-n4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5b52ce99e1702fe34ca062c3b85a208d4
SHA10908d73b1d51c163881b59022faa3306eacab22f
SHA256afd8ec548112f3742829f145a51323cc75102fdbd0a4522bc2b772163d242099
SHA5125146b6afc61edf4d55bf11de2b24e73a8bae604f066a6b6c8f0c48163e9cae8803c856cba44de724a71cc776485e12f7bfa70fab1d48e18dd802c17e38b678e2
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
104KB
-
Filesize
152KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
152KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB