Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240802-en
General
-
Target
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
-
Size
967KB
-
MD5
c07392e48322e4efde24d759d27262f5
-
SHA1
b1c17d7a9ee01164f79aefbab2d9d792648136b1
-
SHA256
517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a
-
SHA512
9ae4e28ea9554801dbfb3ecc15e54c77bf085bc266338993939dcff797702747ab6b7c3a035bdcd145209d2cbf190f513ea07f175160c2d7127e9ddd9d306e16
-
SSDEEP
24576:5tXCT35bEN60Yc/rMegvH6RK1aeGokgwH8:5KBtV6MjvH6RIrDC8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2424 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2424 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2132 2116 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 31 PID 2132 wrote to memory of 1732 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 33 PID 2132 wrote to memory of 1732 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 33 PID 2132 wrote to memory of 1732 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 33 PID 2132 wrote to memory of 1732 2132 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 33 PID 1732 wrote to memory of 2424 1732 cmd.exe 35 PID 1732 wrote to memory of 2424 1732 cmd.exe 35 PID 1732 wrote to memory of 2424 1732 cmd.exe 35 PID 1732 wrote to memory of 2424 1732 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp/fallbackfiles/'2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 1 -w 10004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2424
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt
Filesize5KB
MD5c63d7b1e0809942e9ddcd4fa117a6dc1
SHA1031c37fe44803015210b3437a4a88e15eba1a009
SHA2562942e34dfe53a45c358a0a2c793bab1446ee9997f638c70b67b78f671847c396
SHA5122922532c93adf94959e886234f535434700f42ad5bd8857337b07886915c17e24aa5e9f2fb77f2562ff44c38b9c475d0b32816a8655163f5f2c8eba90b7b72ad
-
C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt
Filesize9KB
MD52afa019ce5d278359bb1e6219932c2c3
SHA1eef70003ddfce7fbf488d5ffa214bbb2c8584a7e
SHA2563e6de7606e8b581b5672d3ff70594950aa76c4fe87d953093c9f4c806918d6f8
SHA51289647f17b9341e3a43239f5f28d9382e1f00534e709854c3b9fb0c04f3e160c2fce49b34ec58aa9d0e262baae99c1669d61da61e53d044bf58010d5743a17165
-
Filesize
124KB
MD5ebd9b0557293057bc6a1cd80ca1bcbf0
SHA1113cbf031f612faaa4096dbba46f4d2af959d73c
SHA2565df1a0cd7ff8b44f33ca817422bd85d17000c33d4eb972fe05502160dac4f5d0
SHA512a51acff2c1003f6f64ca612c8ad340a9c827a752a3bf256c014fc4d1e74a11838ee9749e12dff3d2e9188e1b99531ead24d7f93d98ed571f8064b0fbe594609c
-
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico
Filesize11KB
MD5592abe695d3fb84c8a7589b0d2553a97
SHA1d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978
-
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png
Filesize136KB
MD50a8589de904eec91522c276d896216c4
SHA158ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd
-
\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Filesize1.8MB
MD577bfacca17ee1d89833b57f3a746d9a0
SHA1aa9490c913489c5eafd02f67f875efcb56d23036
SHA25638571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA51221ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f