Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
c073afd8de644949c2c3598230216a66
-
SHA1
c057eb3365f7be929ffbaa6ffd29a58cea83b9f4
-
SHA256
c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d
-
SHA512
346143dc5c765cda704370dfa5ac67ac40f573f8e51f294bcb1a060042af79dc639abf31d4bae1b129c5a97398a6be798ea01b6dcd79b83a827fc0c6c63952ae
-
SSDEEP
49152:BZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9I:BGIjR1Oh0T0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c073afd8de644949c2c3598230216a66_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 940 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 940 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2772 wrote to memory of 856 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 31 PID 2772 wrote to memory of 856 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 31 PID 2772 wrote to memory of 856 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 31 PID 2772 wrote to memory of 856 2772 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 31 PID 856 wrote to memory of 940 856 cmd.exe 33 PID 856 wrote to memory of 940 856 cmd.exe 33 PID 856 wrote to memory of 940 856 cmd.exe 33 PID 856 wrote to memory of 940 856 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DDFB6C12481E9E8B48DF4F206E6D_LogFile.txt
Filesize10KB
MD50afbd43579a9c07b24bfd1df3d9c5a91
SHA1bd4719178500e5e0e0cae4747a16fba9effef5ac
SHA2561bdbe06decceca9523823f1c9b2c34d1656152124ab4321888eada132e764f61
SHA5124ff63efd5f820a5c5266a16c57f752ad074707680cf6036d1d812f12d7b39a9898ab9dc6c01e93aa164fa3399887898e6c7fa4ca199d60901bd138dfd4e779a4
-
Filesize
120KB
MD580224460f59b41e96bcdc2f61f2cf089
SHA1a974c29bfc8c4ae9b6baaa900e4b71ebb2eed947
SHA25639133a3ef8637bd48a9f2ff3a1c43c50de7f975bf3d073a0940097f8be6a8166
SHA512ce4d33895be10f3c0f29e5b08f924b40c11cfbfd54f39333b176d1631bd1c38f304fdf40126d15e782c406bd2b912514fb477b9440d54ac22d185223d372f1fb
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680