Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
-
Size
578KB
-
MD5
d334ea90cbebc979ab607ff4b08aabe2
-
SHA1
fda1e4b0f7460806edf5f405b08af2618be5db0d
-
SHA256
3f854ce008a01984333c517f9c04f8c6ec9dd12fa2d4e1bd72c73409220ee47b
-
SHA512
86c9557efea35498e1d32221e0306c21da70432fe2e32fcddeb1ee9927eb754b3104932a9928f5d4a1cf5e24a4dbbf55aaefd051a6dc67b4e6992749e0a99c28
-
SSDEEP
12288:WybTTsjZIs4nPRENOO4uBojmG7H1CjAjG7bca31+MSwvNmqfc1K0yi:WybTAipD32wj0ounUcvNMU0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 884 Ins8315.tmpinstall.exe -
Loads dropped DLL 4 IoCs
pid Process 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 2952 MSIEXEC.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ins8315.tmpinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2952 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2952 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2952 MSIEXEC.EXE 2952 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 2872 wrote to memory of 884 2872 d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe 29 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30 PID 884 wrote to memory of 2952 884 Ins8315.tmpinstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe"C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "https://flshmonte.cntntdnfiles.eu/client/pkgs/coolcat/Cool Cat Casino20200129033801.msi" DDC_DID=9385578 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=9385578 DDC_DOWNLOAD_AFFID=14227 DDC_UPDATESTATUSURL=http://190.4.94.37:8080/coolcat/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.37:8080/coolcat/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=trackingID CUSTOMVALUE02=CCC83c4ecc76b83e6df007e9289eb26463f SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins8315.tmpinstall.exe"3⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55f75ae6d0fe628bd5320e3b619dd2ae5
SHA12b13647d3640a16f245d398885b677f97e0b11e8
SHA2562d6985a0d00108fa102f5446225614dc150519668e7a7aed707dffaebd85cbe8
SHA512c13235094ac0708cdb4a1f26042540854fe3ee935b02518c70ca01819b60509db75b30230afbf659fea76a2604c7e48d5cf5fe803a25ef61cb7a60f80551a3d7
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
5KB
MD50a6ba72b9789f4089285981753328492
SHA1844ffa367c2ea0f092dc0163c6917f29727001cd
SHA256daa522079e132d69ff0e971a35f4147f936a8237be9591076398e8e7036064b6
SHA51226c00421c1073eddc0b4f8ab1810b12014603d39ea2e8dda67c57b3fe71ffba1e8eed72cdecb5bac9a7d2fe3ac57c1833edd61f1cf467cca4e008e549f701078
-
Filesize
1.2MB
MD54630c542fd8d8aaeaf1e23a355014f8c
SHA1e63be2f709e5ae112bea8a5d655042592e39ec2d
SHA256edcec4c9ab0a1878b502e5da78328ba4a1e863cffcf74fc0d7181c6226aea2f1
SHA5121904cf351e93295eba00757197e1bfddbc8a62a318d53dc3cbeaa89c93a57f0522a22defd3ca612016aadab9d2db09eed1a5b38e653dfbb9fbff79e531b47ebd