Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 14:44
Behavioral task
behavioral1
Sample
d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe
-
Size
22KB
-
MD5
d687cc753f97615527ad63c867a423eb
-
SHA1
34bd9c078df89a6e86c94018da0edcb69265d89e
-
SHA256
db167177be5d69cf988bf33e6d8b3594668dfb94395204b3c9347492ad99f715
-
SHA512
354d52eaa620ed252b90951861754508f059bb47c612e602e62360bf3de8f95fb92e5e2178ff0875d67f7a7afaf5987672e6b3dbb250a14b5661e39bec6a9363
-
SSDEEP
384:PuA7sx9mI3IwKi5UtvN5aX/Q3xXOdiQFGbNGzj/MVxH47KQL5QmluQx:Pu+69msFK24lEQBXiVFGbNGzj0vWj5T
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2460 cmd.exe -
resource yara_rule behavioral1/memory/2696-0-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2696-14-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\adc.kml d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\xx.tmp d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe File created C:\Windows\xx.tmp1 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe File opened for modification C:\Windows\xx.tmp1 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2984 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2984 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2984 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2984 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2460 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2460 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2460 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2460 2696 d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe 31 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34 PID 2984 wrote to memory of 2072 2984 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d687cc753f97615527ad63c867a423eb_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c rundll32.exe C:\Windows\xx.tmp1 Run2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\xx.tmp1 Run3⤵
- System Location Discovery: System Language Discovery
PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\del.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400B
MD55f01d17b3f12934881d8e38705cf6360
SHA1f1c12f21b8cc6d5113b5f2e306d0a9fabfa665d5
SHA25685bcd437af52ad84d3ad1837552356d6c9ca57fd29033b18e27b1d39cc9f17c9
SHA512ee0914a2fea8febae6317ee28a0bb1491a3c7c517df3b8fcee405e0857c045918ef71c2dc55049cdc82e076031fabae8cf3f66b6948be96578deeff17d16cb30
-
Filesize
48KB
MD5dece72877bb5ab63545f37d36560e960
SHA1e87f3de970230a841b1dcb140b47b66c3dfc3263
SHA25633d2bc455ec7fe6ae661ad694516ec836860a4a57a4a2ce2ad444359db891d66
SHA512a0676ac6dc18fd6ca73686d30670ccab740c9f510f694d089f0477d23d4735dedd98107575a537effb95706f3c5139841702c4f9d28beeb4f728c5ed97dc943f