Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe
-
Size
96KB
-
MD5
b3d41d51773b6d8bd1c087dbd4bbd2df
-
SHA1
7c3bd5f56ab707c2b673e2dfa7f5bfbf661e8fdb
-
SHA256
79881ab37c38e47907f0d0d802c4cf752ae2922464459cc215b308ddccf4bc80
-
SHA512
da18e175eee62c57cacf0c0f31ed2f5e8fd5896e5002378c696f6eb1df0f377117e4d7a71e49098de259028729921f7a43ecfce14aad37c864a9aa4b08a7f50b
-
SSDEEP
1536:HiLOvRmmQegJW3aOgBbmAQ256/ZrwWnwqjhurmKFct:HiyvRmQKTLs/ZrwWJjAqGct
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\0911535E = "C:\\Users\\Admin\\AppData\\Roaming\\0911535E\\bin.exe" winver.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe 2260 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2260 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exewinver.exedescription pid process target process PID 1748 wrote to memory of 2260 1748 b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe winver.exe PID 1748 wrote to memory of 2260 1748 b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe winver.exe PID 1748 wrote to memory of 2260 1748 b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe winver.exe PID 1748 wrote to memory of 2260 1748 b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe winver.exe PID 1748 wrote to memory of 2260 1748 b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe winver.exe PID 2260 wrote to memory of 1200 2260 winver.exe Explorer.EXE PID 2260 wrote to memory of 1064 2260 winver.exe taskhost.exe PID 2260 wrote to memory of 1132 2260 winver.exe Dwm.exe PID 2260 wrote to memory of 1200 2260 winver.exe Explorer.EXE PID 2260 wrote to memory of 1232 2260 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b3d41d51773b6d8bd1c087dbd4bbd2df_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1232