Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 11:34
Behavioral task
behavioral1
Sample
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe
-
Size
108KB
-
MD5
c8bd995346f61308e200199c7e041b3c
-
SHA1
46a39c9425bff794916493459f8bffd9e6915af4
-
SHA256
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f
-
SHA512
9f820d527a5b05d8003d3350ef2428f6d956ec63b42f3d9097df9989f1d1a219841ebe4959eb75c7cc3ab9e36dbebab0e32d9cfc49c114bfc2d7a30373124755
-
SSDEEP
3072:FCrRG9LgWHyMp6awrpEoNLna7TpP7N5LtgxH:FCrskJaYvn+PdgB
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
smallhotspot.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat smallhotspot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exesmallhotspot.exesmallhotspot.exec8bd995346f61308e200199c7e041b3c_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smallhotspot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smallhotspot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
smallhotspot.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix smallhotspot.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" smallhotspot.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad smallhotspot.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0024000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings smallhotspot.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dc-e0-a5-73-4f smallhotspot.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dc-e0-a5-73-4f\WpadDecisionTime = b019ff8507fada01 smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections smallhotspot.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" smallhotspot.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE}\WpadDecisionReason = "1" smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE}\ee-dc-e0-a5-73-4f smallhotspot.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" smallhotspot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE} smallhotspot.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE}\WpadDecisionTime = b019ff8507fada01 smallhotspot.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE}\WpadDecision = "0" smallhotspot.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C0AB2A-80FC-44A5-B6CE-6BEE348EA0EE}\WpadNetworkName = "Network 3" smallhotspot.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dc-e0-a5-73-4f\WpadDecisionReason = "1" smallhotspot.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dc-e0-a5-73-4f\WpadDecision = "0" smallhotspot.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
smallhotspot.exepid process 2088 smallhotspot.exe 2088 smallhotspot.exe 2088 smallhotspot.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exepid process 1820 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exec8bd995346f61308e200199c7e041b3c_JaffaCakes118.exesmallhotspot.exesmallhotspot.exepid process 2876 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe 1820 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe 2280 smallhotspot.exe 2088 smallhotspot.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exesmallhotspot.exedescription pid process target process PID 2876 wrote to memory of 1820 2876 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 2876 wrote to memory of 1820 2876 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 2876 wrote to memory of 1820 2876 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 2876 wrote to memory of 1820 2876 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 2280 wrote to memory of 2088 2280 smallhotspot.exe smallhotspot.exe PID 2280 wrote to memory of 2088 2280 smallhotspot.exe smallhotspot.exe PID 2280 wrote to memory of 2088 2280 smallhotspot.exe smallhotspot.exe PID 2280 wrote to memory of 2088 2280 smallhotspot.exe smallhotspot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe--1a5a73cf2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1820
-
C:\Windows\SysWOW64\smallhotspot.exe"C:\Windows\SysWOW64\smallhotspot.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\smallhotspot.exe--3db04bda2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2088