Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
-
Size
64KB
-
MD5
b3d90803a6fd19e269464a8cd4c20a45
-
SHA1
4d3cb719a60e6a04ed41df5763b13892f8e52411
-
SHA256
3556edcc85a505d1418e3bfaa462ca1e15a60a090b8378fd682f02795ebf6c4b
-
SHA512
c5dcfd3fad1ca55f469ac6984256b8ed2c258453b44d670448fc3535d61d89725de04a5eaa4c65a467f0792b87fcf419591379ca35112cb882609d73a8489511
-
SSDEEP
1536:CjeITyz4z8SA/vn8bTSG01HDriL78TJ/HkAgLG3yc9/Kwgi5qWCv:WTB8SAHMT5Q6YTtH4LqhyXig9
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\TTP Ad Ctrl = "{04B21D11-8112-4C32-880C-0531DC50C7FC}" b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 2144 rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1752 set thread context of 4424 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 86 PID 1752 set thread context of 2588 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 94 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2628 4424 WerFault.exe 86 4628 2588 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC} b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ = "C:\\Program Files (x86)\\TTPlayer\\TTPAdvCtrl.dll" b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ThreadingModel = "Apartment" b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe -
Runs regedit.exe 1 IoCs
pid Process 4424 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4424 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 86 PID 1752 wrote to memory of 4424 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 86 PID 1752 wrote to memory of 4424 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 86 PID 1752 wrote to memory of 4424 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 86 PID 1752 wrote to memory of 3420 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 56 PID 1752 wrote to memory of 2144 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 93 PID 1752 wrote to memory of 2144 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 93 PID 1752 wrote to memory of 2144 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 93 PID 1752 wrote to memory of 2588 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 94 PID 1752 wrote to memory of 2588 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 94 PID 1752 wrote to memory of 2588 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 94 PID 1752 wrote to memory of 2588 1752 b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:4424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 5204⤵
- Program crash
PID:2628
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll",DllPreTranslateMessage3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 3004⤵
- Program crash
PID:4628
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4424 -ip 44241⤵PID:2224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 25881⤵PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD58b9bb2f1d608260192921f35201880d1
SHA11c3d26f4458f4edda01c9bd6a8cac195d73a74e1
SHA256db8d4005083934173820c1389a9d9530d198a64af1d432fba0719a5b2684decc
SHA512092ed54fc2cb341ba8740df77d9bf5fe3639f1bf26a1513093647e1783c707a9531f261779ef921cb2dc29f20d625904051861cdf97bf05da21dd59c3184c5cf