Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
b3629a6421128471135973b74c5ac582_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b3629a6421128471135973b74c5ac582_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b3629a6421128471135973b74c5ac582_JaffaCakes118.exe
-
Size
156KB
-
MD5
b3629a6421128471135973b74c5ac582
-
SHA1
ee5b65425ca732c2520247c2e552b776115363f6
-
SHA256
6c07c7afffc8833235a0cc8385690627ee172043379f3c7a6b7c3a6cb7508887
-
SHA512
c3bcf671cdf9ee1ed17a8a985ce10c423d73900e166ada8cfdb41ac279f17d71ee55c21c25fa32f11f86b316b9e823fd7af8b5801158319344fa005ce565627c
-
SSDEEP
3072:hTB8BulaJemBX3cGUN/UCviuTetSRFGGQZORqWxliI:v66MBUN/vbTLrGTZOLm
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmo.exe b3629a6421128471135973b74c5ac582_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmo.exe b3629a6421128471135973b74c5ac582_JaffaCakes118.exe File created C:\Windows\SysWOW64\config\dmscrip.dll b3629a6421128471135973b74c5ac582_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\config\dmscrip.dll b3629a6421128471135973b74c5ac582_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3629a6421128471135973b74c5ac582_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2392 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 30 PID 1256 wrote to memory of 2392 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 30 PID 1256 wrote to memory of 2392 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 30 PID 1256 wrote to memory of 2392 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 30 PID 1256 wrote to memory of 2088 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 31 PID 1256 wrote to memory of 2088 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 31 PID 1256 wrote to memory of 2088 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 31 PID 1256 wrote to memory of 2088 1256 b3629a6421128471135973b74c5ac582_JaffaCakes118.exe 31 PID 2392 wrote to memory of 2524 2392 net.exe 33 PID 2392 wrote to memory of 2524 2392 net.exe 33 PID 2392 wrote to memory of 2524 2392 net.exe 33 PID 2392 wrote to memory of 2524 2392 net.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3629a6421128471135973b74c5ac582_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b3629a6421128471135973b74c5ac582_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\net.exenet start BITS2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start BITS3⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B3629A~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5476b4f944519106461b2b7d563d080f0
SHA1f037e32a73df5567d601ef0d6c497637aceb1627
SHA256c400c50671d7fc01c405e5eadddc8c210d5f23f4397baf6a3270f7351dba9a35
SHA5120606578ce00d331377a5e90fb41f67a8eacb621f2290dc5f3904c0864802c930fc7bde08a97fd02087fedb6c7b7c783e5c67a6424016276910d870f365d3b53f