Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-08-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe
-
Size
464KB
-
MD5
c5cbe27159d3c5bb095f1bdb75bf0d95
-
SHA1
73fb46b8ac71bbc8cbbbf49e52f1ed1091fe0ec6
-
SHA256
1b219bfed6210a9679570032bba9c2b209a0c06ea3e07b94df7727767472c9d3
-
SHA512
da6cf62c72e1b151733c5a88620fc7ed5c725125ad8490b75fca5ba6ee6760bcf2f5342b374f7a170bae775621424a8c0291c9a4fb20422d03afcec6add5ef80
-
SSDEEP
12288:uxGfMUSKRLRYWcswKpxe66WglV1s3kUu1nDLH0W+SIz/7Y9EObzcZwj2ZX:FR6W4MheLHb+Dz7YWObzKwC9
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iXNjjQ.url c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1900 set thread context of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2852 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe Token: SeDebugPrivilege 2852 RegAsm.exe Token: 33 2852 RegAsm.exe Token: SeIncBasePriorityPrivilege 2852 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2852 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2796 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2796 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2796 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2796 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 30 PID 2796 wrote to memory of 2776 2796 csc.exe 32 PID 2796 wrote to memory of 2776 2796 csc.exe 32 PID 2796 wrote to memory of 2776 2796 csc.exe 32 PID 2796 wrote to memory of 2776 2796 csc.exe 32 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2852 1900 c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5cbe27159d3c5bb095f1bdb75bf0d95_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gdwaxls\3gdwaxls.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5725.tmp" "c:\Users\Admin\AppData\Local\Temp\3gdwaxls\CSC49BCB374661C4F9DA2DC27256ADCBAC.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2180
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD58e0c3c1bf484c513e531e8ec5dae2b5b
SHA1dabdd5e1902a406262a178f6b87c290927985922
SHA256e7fcfbe0a660aba9e1b828cb3f7ba7f6773873a13d71a3e480f0a04d51405c43
SHA512de4b2a6fd47a4a406810c6d10710db5b22b4f4b023df0af44d45ba31df1d21d6902562fd4fbda7a4282653dbaef51a4ccd3b5c42f044189fc14094104f2bcbad
-
Filesize
49KB
MD5d8ff1a960b68dc0add7131f67cfa0aaf
SHA13d68332855a70dc0e8c648f83f52325c52e78088
SHA2566c52675b49e7f1c7aa9266f51c8cc72fb0942774a80076a8cdb6d5adf3783228
SHA512fec77c2fa5837eb4c44e9bd4f96b5b0f788e0e9518a4253d9812c115bbc62d04dbf7d8e4c65d878d9a98506637602ff95ea9c52142d46d58fa1dc77ea60ad6a4
-
Filesize
1KB
MD5641fd318a3df428b05588f3594ad7987
SHA15ba91bdec4f5c843b85583fd0501142b6ee59afa
SHA256c676c4192b17edd6264d6ee6f153f4ff5eaad815d07be1d82097e5f48e57141b
SHA512fb3b767f6a97fb1fb6a9d1993e427314eff613b6ab501e408367fec1500aebaf7883bd95a3259fb8e53b0d6401448c09d22f30812e993ad300c039b1cc48145d
-
Filesize
35KB
MD57e6c866ffbdec7a2d4a9da215a8cfcf8
SHA19f60f4c44306385119ef6d5f24162b9db9452d2f
SHA2569f41693eec13e207e59c0896f3c24ef786c0a5ad2b6181b00579c3fb80ca7fc8
SHA5127467c895fb28610819e0fa22a288a7d29d828c197fedfdd71b76bbe82c80df256020852d2d1089c44832d7a5e389d722d4ec05a259ac0eeb4494bc0f15b4d89d
-
Filesize
312B
MD5bea2eba02363526636c85f0451dc471b
SHA1f9c143fd0e5ee92cf20b28ca8c0f4ab82cbebda4
SHA256c705840cc6662918b4f5cc75edd772d14a78a82bedb0bbc7f555decfd602feec
SHA512fbe86fae40d9af406d90a125cd00e0a4f7881070a9ee8124ebed154ddc94841a984903eef484e14d45a5670ee07953a05841797380eecb5318c0c7912803c854
-
Filesize
1KB
MD5551966555d00ce6c18f3c7169ffda495
SHA1f2136ebfb59e01b1cdde492c44dab8e5dd3d9bcc
SHA256677af58f960313226154e93750f6e2b560e28f8b2cb30c60c2c907d5b6df3168
SHA512dc83ff3c28c6482d3a2543619ba3bea22f4947fcf7c484e8cd76b2e8ea3cee97e91ea57743f6162042f82e8bdb41f87df33d686ed577564fb5482d7e5049005c