Analysis
-
max time kernel
144s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe
-
Size
34KB
-
MD5
c07a4a29b484aa8e9796c31341343aa2
-
SHA1
14f6fe6ffdf0645b5dac73f8aab0e1f820271dec
-
SHA256
9496905b33fbe997125795f10c41413bc7865d25bda644c8ae8dab71f4429d15
-
SHA512
59ac0befceeae0330ad35a8d4b7d941ea1f5eaadf97113f5308219b3b93138fdf127d2960c5ddbfc5db5b3eb157933d3cabba80997c8764a41561d13118cc416
-
SSDEEP
384:oKPxOg0L+AofRHabLwVBqfwhk7WPxZ1pwVtMV2FSxfEMKZKQrh2NSHLxSWjYE0WZ:hPINofRHabcVBH4a1pTYSxkK6hAQVS
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\beep.sys c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\beep.sys Manager.exe -
Executes dropped EXE 1 IoCs
pid Process 3900 Manager.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Manager.exe c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Manager.exe c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe File created C:\Windows\SysWOW64\Manager.exe Manager.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3900 Manager.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4516 wrote to memory of 3900 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 88 PID 4516 wrote to memory of 3900 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 88 PID 4516 wrote to memory of 3900 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 88 PID 4516 wrote to memory of 1048 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 89 PID 4516 wrote to memory of 1048 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 89 PID 4516 wrote to memory of 1048 4516 c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe 89 PID 3900 wrote to memory of 184 3900 Manager.exe 90 PID 3900 wrote to memory of 184 3900 Manager.exe 90 PID 3900 wrote to memory of 184 3900 Manager.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07a4a29b484aa8e9796c31341343aa2_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Manager.exe"C:\Windows\system32\Manager.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Manager.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C07A4A~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:1048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c07a4a29b484aa8e9796c31341343aa2
SHA114f6fe6ffdf0645b5dac73f8aab0e1f820271dec
SHA2569496905b33fbe997125795f10c41413bc7865d25bda644c8ae8dab71f4429d15
SHA51259ac0befceeae0330ad35a8d4b7d941ea1f5eaadf97113f5308219b3b93138fdf127d2960c5ddbfc5db5b3eb157933d3cabba80997c8764a41561d13118cc416
-
Filesize
2KB
MD52de9ca34e22d737cd652c4a03b286d30
SHA17cc13e24ba544265590b99f49a4c768d189ff447
SHA2564c8fd01a26646ae36a763dfda0ee663bb92b59f7e09a58ea4441fa4d3aa612b4
SHA512c6f12a4f52177bc128fd9752746ebe1800b412df43b64f861feb229b8ac8f884b8e9b663f3197e69f22c195aff0281b931440e462270764248a1d0173949cb05