Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 15:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe
-
Size
80KB
-
MD5
bc3befb2f1d040d5cdf832bd1fdea92d
-
SHA1
ba206f845c2386cf931d7b83003847ecdf607fac
-
SHA256
02f3a65431c6223ceac8ad0a18cce41a976e572b1a1817eb8b39c7fe95a53be4
-
SHA512
119b12e0a6f792eece79ae2d1347ecf9ab822c99615e7cd47ce5e9fa6e062e192c7c1068860877cf6237ce192b3a538ad4d702087c9a81d60b9c7791801973ac
-
SSDEEP
768:ev6nMfqH++4qZHcAc8ebdtF5EmpW/p/hxRSH9NxIkL9v/Q6sWD:ev6Mq92ZKmpSFhxRSHdL9bsS
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mfkiej.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 mfkiej.exe -
Loads dropped DLL 2 IoCs
pid Process 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\mfkiej = "C:\\Users\\Admin\\mfkiej.exe" mfkiej.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3060 2396 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfkiej.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe 2672 mfkiej.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 2672 mfkiej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2672 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 30 PID 2396 wrote to memory of 2672 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 30 PID 2396 wrote to memory of 2672 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 30 PID 2396 wrote to memory of 2672 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 30 PID 2396 wrote to memory of 3060 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 31 PID 2396 wrote to memory of 3060 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 31 PID 2396 wrote to memory of 3060 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 31 PID 2396 wrote to memory of 3060 2396 bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 2396 2672 mfkiej.exe 29 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31 PID 2672 wrote to memory of 3060 2672 mfkiej.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc3befb2f1d040d5cdf832bd1fdea92d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\mfkiej.exe"C:\Users\Admin\mfkiej.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 7842⤵
- Program crash
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5a93a6348e76b5204021b05184bb02169
SHA159d3bfa5194c8c55cb0b894e6a394e2cdf6b6bf2
SHA256a8933afb6008334e5400236c57306847836cea96d790ee6df4e7cf513d617e07
SHA5125ff7c8a03294636c111673c4d4ac5f76140c9f6b4c2ec6869dfecf65f8fea1037bb1ce8bf09d3738740563db2f98972e9df75d43df0a6506811f06051b39e6c2