Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe
-
Size
353KB
-
MD5
c03448393c61f959a240ee5bcb45ef1a
-
SHA1
d75ba5e42668663fec578ae5dc5ed4eec9f28992
-
SHA256
469b12491ca4a39988193fdc1929c2dd8e871f5961d4c70209b536c88c67ee80
-
SHA512
920476cdffc9165fe420dc11f24c908c746647574aa52baf889f217e0688ea2b9340c460b053eef99e2703c1cc52fb22013e7d17e8137635fec142298591acfe
-
SSDEEP
6144:c3hoxJAfvPx/3HEYlctbjkE0mPk3Zz6fCGpNQSYiPzVt+93:c3LfvPtXEYqlj9bPk3Zz6fCGJYi5493
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Outlook Express\system.exe c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe File opened for modification C:\Program Files\Outlook Express\system.exe c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Mole.Mol c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe File opened for modification C:\Windows\Mole.Mol c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe File created C:\Windows\Mole.dll c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2992 2160 c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2992 2160 c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2992 2160 c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2992 2160 c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd /c Deleteme.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD57bfdbc0952790cb46a1cb492d0acb5e4
SHA126494f976ed8b7b21fd3f7a8575a0ded5b34c42a
SHA256743a0d39099d7392d4abc46f745f3168f1b6798570cb2e503cd8875df0b4a117
SHA512662c759140dc719328e2309d10c4449448f878b705a297f558e96a310567c28dd7d2d4fddd2131aa68d354006987224917e70b2b25fb88d81c810a4d1c022f35