Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:16
Static task
static1
Behavioral task
behavioral1
Sample
c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe
-
Size
744KB
-
MD5
c06b57795a419ff24115042ef8be2ae8
-
SHA1
1e910c65b55e5315157c60af941f8b1b34a70fab
-
SHA256
febfe7f46caf58cea34fc2a7098daf368911b6c7556a7e1e0f70bea0e6393840
-
SHA512
1042195e06b85d1ba8904dcddb2fd05255d26372b547d042d7ef9227f350ae7efe81c7902c0be2c56755f3522210092b59ab85a7b4c328f80c5c3b8a539095fa
-
SSDEEP
12288:jV1a0RlKyUNwKdBZ10uIF+od/wnHiNd8+P7oIAbhSfpGj2//w8JI91SJ7OC2/:jV1awILNN34uvowgGQo/SgQw8e1SJ7OF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2472 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1676 las.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\las.exe c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe File opened for modification C:\Windows\las.exe c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe File created C:\Windows\61642520.BAT c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language las.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2056 c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe Token: SeDebugPrivilege 1676 las.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1676 las.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2472 2056 c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe 32 PID 2056 wrote to memory of 2472 2056 c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe 32 PID 2056 wrote to memory of 2472 2056 c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe 32 PID 2056 wrote to memory of 2472 2056 c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe 32 PID 1676 wrote to memory of 2220 1676 las.exe 31 PID 1676 wrote to memory of 2220 1676 las.exe 31 PID 1676 wrote to memory of 2220 1676 las.exe 31 PID 1676 wrote to memory of 2220 1676 las.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c06b57795a419ff24115042ef8be2ae8_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\61642520.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\las.exeC:\Windows\las.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5444f389c813bf3a58711cece7a6e655b
SHA1bc16d2c9dfbf166da4ccd235c517a376dc8bfcfb
SHA2569d54e93d133100b7f2f89622b68f59b3978dc3e3a630145de056a98090e45387
SHA51224af399120e1fd1967a10cf9b0d84005650be66ebfd3909e4070005e862c03cdd9c0b567159cec2c8227168e4f7aaf0513a65bf7eae6f9ee2027d6891326b9c7
-
Filesize
744KB
MD5c06b57795a419ff24115042ef8be2ae8
SHA11e910c65b55e5315157c60af941f8b1b34a70fab
SHA256febfe7f46caf58cea34fc2a7098daf368911b6c7556a7e1e0f70bea0e6393840
SHA5121042195e06b85d1ba8904dcddb2fd05255d26372b547d042d7ef9227f350ae7efe81c7902c0be2c56755f3522210092b59ab85a7b4c328f80c5c3b8a539095fa