Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
-
Size
22KB
-
MD5
b501aba04c3b15988a4b6c7402b005bb
-
SHA1
37c735bb479a37db922ee73306ec4d6bbb802c37
-
SHA256
72c787288d5592cc86f7a6556042a2da1059925682c7c10dd7c05000da453e39
-
SHA512
4621311fa46dffd24793b568476a5a3041b1e1bc89f3a5e5f8fc8dcd3cf825331b58424d44780c54367b5beb746f87e0e9577125acc97fcb34978f7f27e1ef9b
-
SSDEEP
384:IDD2TOgvcVuoA19Ai0eVwkxiz7eqoeNM6KMaHVya4eYnq+GpzHtpPKF3:MXuoAzrDqoB4fIpzNpPK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2388 system 2888 alg.exe -
Loads dropped DLL 5 IoCs
pid Process 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 2684 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\fuzdsp.dll b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2912 set thread context of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Fonts\system b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe File created C:\Windows\Fonts\alg.exe b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe File created C:\Windows\Downloaded Program Files\spoolv.exe alg.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com" system -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 2388 system 2888 alg.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2388 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 31 PID 2912 wrote to memory of 2388 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 31 PID 2912 wrote to memory of 2388 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 31 PID 2912 wrote to memory of 2388 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 31 PID 2912 wrote to memory of 2888 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2888 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2888 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2888 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 32 PID 2912 wrote to memory of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 PID 2912 wrote to memory of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 PID 2912 wrote to memory of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 PID 2912 wrote to memory of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 PID 2912 wrote to memory of 2684 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 34 PID 2912 wrote to memory of 2316 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 35 PID 2912 wrote to memory of 2316 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 35 PID 2912 wrote to memory of 2316 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 35 PID 2912 wrote to memory of 2316 2912 b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\Fonts\systemC:\Windows\Fonts\system2⤵
- Executes dropped EXE
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
C:\Windows\Fonts\alg.exeC:\Windows\Fonts\alg.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\DEL.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD55cca959dd0ede7d95eaf90989090d441
SHA18bfb333bbbda4b8a1de03edf441c48fcfa65b906
SHA256a4d3dab539b9e0aad2a76de04637fc4cf68fac6a57414f5ecbc197aa1c6bd6df
SHA512db02faad4b95f1ae517220330ec2a14c746ba38a87a1700ce92dac04b03bca6f89e21735b3395a1e3c3ce6834fc3b97e371e0fa254bf71495773258e1f996b09
-
Filesize
5KB
MD505c250f63cb268896a4dd1f9386ca6cd
SHA149562782fa486ba07e8e713c6c3ad8eac0a9417a
SHA256f9f250b8a95fe2ad6831a4fc27a10fddca15b6cedcfb3a1c48823f88fdfbf526
SHA51249e41ab0dd01f096b07b1fe95664f3403b429cad14a70befd219e9641b16c2095120347225844e303490ad12b757140a48c1a1d3d7282742ebcde438d5d047be
-
Filesize
1KB
MD593e9952ae2d7a02605cb27775c6714c1
SHA19d994b2f93feebeb2002d726255d3557188a66f4
SHA256e4eb382194c025a1ba434bece51041457bd3f9980a817f7540982cde8c93e751
SHA51241bedcf547f134719676327cfeff324e48a7830df97811a0b9ca332ce04f233e0e50fb53387d340386aa4441eff65a1e6d20d46762bef3c6ecb28cd47ffd16a4
-
Filesize
19KB
MD566f43d666183c55b44fdfe41ce1783e2
SHA1a8b1df0a70ff55fd5463eed24da1c27a58f48e11
SHA256ad3c0db189642952cf4c940a2cc2cacde2025b33f9ad9a10075fd14e255a304c
SHA5125a57f8125b910e79693fde08c3383fb790f0c3cb3a4fa65236fd7e75ae632a881127c010489592343d4d02ae6b6827cc02cee6eea55cccc55a6044b2d7370b2c