Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe
-
Size
282KB
-
MD5
b19825e5e89001fd7c06c56670b023ac
-
SHA1
6b7210b800494fd6a148d7ca8414990c64108d54
-
SHA256
40341be3547e272970b36f04b4fce4f957e297420155586305c1f8fae45dce42
-
SHA512
c589794be4cce830a455b17685168c6678e95ad57eb8422b3832d76bcc188a048ece276bf573083c9b2da25d4cd5236c65f382717dde4f279d3de4500d048735
-
SSDEEP
6144:n82HPKAA9jslC3NvjuqNCjV+GenP8n3JTLLe3:82HPKh9jJd/N+V+GenE3pLm
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1128 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2324 wyko.exe -
Loads dropped DLL 2 IoCs
pid Process 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Jiutyg\\wyko.exe" wyko.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 624 set thread context of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyko.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe 2324 wyko.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe Token: SeSecurityPrivilege 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe Token: SeSecurityPrivilege 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 2324 wyko.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 624 wrote to memory of 2324 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 30 PID 624 wrote to memory of 2324 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 30 PID 624 wrote to memory of 2324 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 30 PID 624 wrote to memory of 2324 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 30 PID 2324 wrote to memory of 1116 2324 wyko.exe 19 PID 2324 wrote to memory of 1116 2324 wyko.exe 19 PID 2324 wrote to memory of 1116 2324 wyko.exe 19 PID 2324 wrote to memory of 1116 2324 wyko.exe 19 PID 2324 wrote to memory of 1116 2324 wyko.exe 19 PID 2324 wrote to memory of 1204 2324 wyko.exe 20 PID 2324 wrote to memory of 1204 2324 wyko.exe 20 PID 2324 wrote to memory of 1204 2324 wyko.exe 20 PID 2324 wrote to memory of 1204 2324 wyko.exe 20 PID 2324 wrote to memory of 1204 2324 wyko.exe 20 PID 2324 wrote to memory of 1252 2324 wyko.exe 21 PID 2324 wrote to memory of 1252 2324 wyko.exe 21 PID 2324 wrote to memory of 1252 2324 wyko.exe 21 PID 2324 wrote to memory of 1252 2324 wyko.exe 21 PID 2324 wrote to memory of 1252 2324 wyko.exe 21 PID 2324 wrote to memory of 932 2324 wyko.exe 25 PID 2324 wrote to memory of 932 2324 wyko.exe 25 PID 2324 wrote to memory of 932 2324 wyko.exe 25 PID 2324 wrote to memory of 932 2324 wyko.exe 25 PID 2324 wrote to memory of 932 2324 wyko.exe 25 PID 2324 wrote to memory of 624 2324 wyko.exe 29 PID 2324 wrote to memory of 624 2324 wyko.exe 29 PID 2324 wrote to memory of 624 2324 wyko.exe 29 PID 2324 wrote to memory of 624 2324 wyko.exe 29 PID 2324 wrote to memory of 624 2324 wyko.exe 29 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31 PID 624 wrote to memory of 1128 624 b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b19825e5e89001fd7c06c56670b023ac_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Roaming\Jiutyg\wyko.exe"C:\Users\Admin\AppData\Roaming\Jiutyg\wyko.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2324
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpade74e44.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1128
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:932
Network
- No results found
-
105 B 1
-
254 B 1
-
300 B 1
-
189 B 1
-
176 B 1
-
188 B 1
-
195 B 1
-
197 B 1
-
109 B 1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5150b106f9600abf45da4a3c29962e2cc
SHA18f55d884ae27db3374c8445b86b46cbf85c1e8b6
SHA2568c76ab15e155a332e16f491c7aac666ae3f1b301e5785eee4c62b4b1348c3ea7
SHA512a025b5c996c9a5c12a9940df599a0b011bdd815ce158ea4079504680ddc38302fede7accca2a0b21234b600c8c716b8878ae4c6dfeb8e829f268d6767a2cda76
-
Filesize
282KB
MD5d5f5c931cd3143c7cba641f4d6fe383e
SHA1bf92cddbb9f6b50a666decf9cc349c5443550783
SHA25671958ed29f7d5f19123d7fc032b245688e03e139bca2df3e9aee3806a7997f6e
SHA51294f527ad2bc42c4707faeb7e4a863108c9fbfeb035aec6f9274bedb0b9647532832a79461bd5710dacfd3523c4ceeae247517798f182b3be723cf979d878d779
-
Filesize
380B
MD50f212e0ac92a43efada2ee84e82626f5
SHA1a96a7bbd6e303387bbc37e83f3db5487e62ea323
SHA25616e803367a7d229d55d1e7a3441effb5ca19e141b86cb40573f695e5e9513a32
SHA5129acd44caa10e0c458671aad1e1457baae552de2154798c9117247de548f81861d6dfc5260ead7dc77956d5416d913dd9f44a1a2af6fb471f4abe1f38f4a3ecb3