Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
-
Size
383KB
-
MD5
b82d1cff5aa85ebd804d927d80497198
-
SHA1
fbedddc09a4289f7e71234a34994523d19dee6c5
-
SHA256
bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c
-
SHA512
44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a
-
SSDEEP
6144:oo/MZP+H/3L56PEUzduvxw3gy8nQ7I2ToIk4ou1zCIufyRd1mJJ4HdRpyjsZ8Bz7:pE2HDGUvnu4You1nLRrY27pp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1876 ddgop.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ddgop.exe b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe File opened for modification C:\Windows\ddgop.exe b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe File created C:\Windows\wninstal.bat b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1624 wrote to memory of 3604 1624 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 93 PID 1624 wrote to memory of 3604 1624 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 93 PID 1624 wrote to memory of 3604 1624 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 93 PID 1876 wrote to memory of 1504 1876 ddgop.exe 92 PID 1876 wrote to memory of 1504 1876 ddgop.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\wninstal.bat2⤵
- System Location Discovery: System Language Discovery
PID:3604
-
-
C:\Windows\ddgop.exeC:\Windows\ddgop.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD5b82d1cff5aa85ebd804d927d80497198
SHA1fbedddc09a4289f7e71234a34994523d19dee6c5
SHA256bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c
SHA51244f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a
-
Filesize
218B
MD5343b12223d2e03162a5334cce0a79d43
SHA1f6c83adf3109dad858627b885b10bdea3822cdd1
SHA25602af40c65ae92b280154b63e719af157aa27e475ddac5d9c66e912c49d6ce39c
SHA512ac47008f9caa4f1d0cda934c6a6014e5a0054d215d32107980e6b1d2d583d26ce6031a051b61e31959d90af0533036a98724016ed6b10a2e66bd921c39ce7be5