Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe
-
Size
534KB
-
MD5
d4b5b8fa8f784b73ce3ef9619640be2a
-
SHA1
3bf62a037bf2ce6534ceb31b9c89f76508b35ce0
-
SHA256
5af99867dbbccbc655ceac0f7535d7983c707fbcb54287ba75c9e8e4b0488bb2
-
SHA512
c884de66d4b71994dea891586cd8de0ab7ebd91e7d329d9359234d6b8403307e4470b96c007b3929d88d3be68170f0090e41c80ecf1562b9bb31c69d8dc8f529
-
SSDEEP
12288:uRZYA5Tr+ATaRQO0qdQ4Mu2GRaWNI9xmdLxN2wJ86:u7zF+OaRQu2JWfT
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ltocx14N.ocx d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sunset.jpg d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4028 set thread context of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84 PID 4028 wrote to memory of 4996 4028 d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d4b5b8fa8f784b73ce3ef9619640be2a_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
PID:4996
-