Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
-
Size
521KB
-
MD5
d6d03c96da4193b37ea70b0387e03e3d
-
SHA1
86cfec570afdd67d09e1f0866fecd21320897cc3
-
SHA256
9e0114ab8f510a607f2c65d2f86b686d92822592f7767fff258aa4645e636714
-
SHA512
d5f9c0bde197bea1788736e8d62933bdd2fa0b65e0be806d691a1353768e20d111c190cd8947baf26ea63dad81964ed893db56ea98d80ca59f43046e2c412b4d
-
SSDEEP
12288:+ylIvHucpkHuX6J65ZBGpTDk/hUOtYyUmr9yr5k:dOvHkH66aCg/hvUIyG
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3948 stdrt.exe -
Loads dropped DLL 2 IoCs
pid Process 3948 stdrt.exe 3948 stdrt.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stdrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3948 stdrt.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3948 stdrt.exe 3948 stdrt.exe 3948 stdrt.exe 4984 OpenWith.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 768 wrote to memory of 3948 768 d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe 90 PID 768 wrote to memory of 3948 768 d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe 90 PID 768 wrote to memory of 3948 768 d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\mrt5407.tmp\stdrt.exe"C:\Users\Admin\AppData\Local\Temp\mrt5407.tmp\stdrt.exe" /SF "C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe" /SO942082⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3948
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1516,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:81⤵PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD515b3c3bed1181261e8c75f3a737c86a6
SHA116d55b62d9ac287eab04583d65f71a0753a61ae3
SHA256af920de169c975d5ab9cb407a454c60723c7f6ca5d24ee0e229aae98b93d6aad
SHA5125099044f9aac7364d2154ae6d17aa9fc1f3b8dd97a2a1806ff40323fbb3c41bc82c839551e3f04e5706ddcfb12743249e185af61f60146591c9c02430825c25e
-
Filesize
296KB
MD5fcdc7975ffb8a1c06d57e78910edc48c
SHA13e5d5d580ed6ae95d59d3794dd8e524002901aa2
SHA256cf973b83ec737c5d9f98c0befec8bbf4f157bfab78388c86a4cbe2327ca91653
SHA5128cd43b8edeef51a95d54e68d7dadc1c8f01de2c73d1dcfc0d81af4a5b381ea0fd4e05c41509283a6bbbb669af2809fce94546b6fa7eb044037fa0701ea54d194
-
Filesize
324KB
MD5cc4113856c0bd5a1910f8cc5c37d6d78
SHA169621b8f1dfea6e7a0c759033984f0ae8319c118
SHA2560457b7a73873892eeae4871f9eb8bd16ffc33e3d61b77e04c150ccbb11a1dcbf
SHA5120692a5d220a6059da9be53251b7793a3c18af5e59d40390b7ba269e9344862e96f5e18cf56d33393dd7732495f382fdc8f55af83f81452dfd2ec20d058b60682