Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe
-
Size
900KB
-
MD5
cc6962b007a8512fd286d0d50489e3f0
-
SHA1
326665ca3524b4b1afbf2ecb5c3096ff19e7de55
-
SHA256
deba095b9ba5ffd6ea866849da264d0197efbaf12acd27b900213354d0fa18ff
-
SHA512
4173a8311a6feeac481ecc8551252122f0fd04e1a9a7fb549d735078e5bf84a6e8e311f905c0e30f3eaef1eaf1bbd50eb05de3b623922f0a9859c9b99be1fa4d
-
SSDEEP
24576:ZotQUwXBNssktnYM441giJ22zPubfCMqtPQgqevcZGq2bl:OtQUgQPuOJtTtvcZVwl
Malware Config
Signatures
-
Expiro payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2112-0-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-2-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-3-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-4-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-5-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-6-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-7-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-8-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-16-0x00000000033D0000-0x0000000003673000-memory.dmp family_expiro1 behavioral1/memory/2680-18-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-17-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-19-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-22-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-20-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-36-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-35-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-37-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-92-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-98-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-100-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-135-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2112-257-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral1/memory/2680-256-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
legyx.exepid process 2680 legyx.exe -
Loads dropped DLL 1 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exepid process 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\legyx.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Hisi\\legyx.exe" explorer.exe -
Drops file in System32 directory 6 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\system32\svchost.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\alg.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File created \??\c:\windows\system32\ppihcaeh.tmp cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\nghmlchp.tmp cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\nlnenfqi.tmp cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exelegyx.exeexplorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language legyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\104D24E4-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
legyx.exeexplorer.exepid process 2680 legyx.exe 2680 legyx.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exeWinMail.exedescription pid process Token: SeSecurityPrivilege 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe Token: SeManageVolumePrivilege 2612 WinMail.exe Token: SeTakeOwnershipPrivilege 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WinMail.exepid process 2612 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
WinMail.exepid process 2612 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 2612 WinMail.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exelegyx.exedescription pid process target process PID 2112 wrote to memory of 2680 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe legyx.exe PID 2112 wrote to memory of 2680 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe legyx.exe PID 2112 wrote to memory of 2680 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe legyx.exe PID 2112 wrote to memory of 2680 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe legyx.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 2000 2680 legyx.exe explorer.exe PID 2680 wrote to memory of 1172 2680 legyx.exe taskhost.exe PID 2680 wrote to memory of 1172 2680 legyx.exe taskhost.exe PID 2680 wrote to memory of 1172 2680 legyx.exe taskhost.exe PID 2680 wrote to memory of 1172 2680 legyx.exe taskhost.exe PID 2680 wrote to memory of 1172 2680 legyx.exe taskhost.exe PID 2680 wrote to memory of 1344 2680 legyx.exe Dwm.exe PID 2680 wrote to memory of 1344 2680 legyx.exe Dwm.exe PID 2680 wrote to memory of 1344 2680 legyx.exe Dwm.exe PID 2680 wrote to memory of 1344 2680 legyx.exe Dwm.exe PID 2680 wrote to memory of 1344 2680 legyx.exe Dwm.exe PID 2680 wrote to memory of 1424 2680 legyx.exe Explorer.EXE PID 2680 wrote to memory of 1424 2680 legyx.exe Explorer.EXE PID 2680 wrote to memory of 1424 2680 legyx.exe Explorer.EXE PID 2680 wrote to memory of 1424 2680 legyx.exe Explorer.EXE PID 2680 wrote to memory of 1424 2680 legyx.exe Explorer.EXE PID 2680 wrote to memory of 1664 2680 legyx.exe DllHost.exe PID 2680 wrote to memory of 1664 2680 legyx.exe DllHost.exe PID 2680 wrote to memory of 1664 2680 legyx.exe DllHost.exe PID 2680 wrote to memory of 1664 2680 legyx.exe DllHost.exe PID 2680 wrote to memory of 1664 2680 legyx.exe DllHost.exe PID 2680 wrote to memory of 2112 2680 legyx.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe PID 2680 wrote to memory of 2112 2680 legyx.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe PID 2680 wrote to memory of 2112 2680 legyx.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe PID 2680 wrote to memory of 2112 2680 legyx.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe PID 2680 wrote to memory of 2112 2680 legyx.exe cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe PID 2112 wrote to memory of 1952 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe cmd.exe PID 2112 wrote to memory of 1952 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe cmd.exe PID 2112 wrote to memory of 1952 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe cmd.exe PID 2112 wrote to memory of 1952 2112 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1172
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1344
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Roaming\Hisi\legyx.exe"C:\Users\Admin\AppData\Roaming\Hisi\legyx.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp13a692f2.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1952
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1664
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56fe76f7302781916a954f5bc3c9d2d01
SHA10aac4a16200cb346bd78ccdd76b58d65c91ec6d9
SHA25626cd74722a4c41fa99a5a6f76c0133f2a388ddbd31f4cbccf41ceb65f672febb
SHA5123cb11580c9e39cd3390febe4f3ae8972217f7efc0b8253ebb61d7da87ea52e6d20e2e2148886822b491bf0287d0122b5aa9a641b35fd75c4c48e24a07cf9e0f0
-
Filesize
271B
MD502ae4550ce4d99e40779bdde19ff0cdd
SHA131f1f33645cb1fdc4985e6bba1a0349d79d8c583
SHA256fe0947cf8f9c537f05ed1a115accbd9338d5b7316fe73195f59ed6a6be187c9d
SHA512063977bd649ffdc39bb1649ff4e97c9663ac2c132b0c58e935e619fd584ab1d36edb17db4efde67265f4bd3ba4610251185d64b9cc4a7292ec290936d42f542f
-
Filesize
900KB
MD527aaea6961b53204805127063a36ec4c
SHA143c5b46074ae3fb5b7fc26e2686feb2a7e795706
SHA256dbc0ff2275545db2443f10f17bc5eacaeaf6772d48b1d5a8934f558c39c3d2b7
SHA512f5ba921b62ee9003e241eea1ef073054d3c7d75323e68a00130fbd358ba71e6e508000618d36cf442f8163997ee31c66e0385c84af0b0138340cabd76e08347a