Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe
-
Size
60KB
-
MD5
d6ee0a7dac7ed714119fb57cb2c84e71
-
SHA1
4bf82701562eafd234269b47de50d597a91b275c
-
SHA256
bedd016728ae3519e42317b52a7e0992d1d3b77131aded5aecb1531f32b7b5cb
-
SHA512
a0702df5c4c08516ee714a8f30ab01691a3c511c4e6d6f125b25bd1ea0c7b46d22e59ebc8777d41b4b51774aeca7ef513f17a4870eb3eb74ef1232eaaf0275f1
-
SSDEEP
1536:n5qHQFzgTJreVntraXMjC230u/m5B2ex2GNpYYR9uL:n5qHQFzJ8Y30ISxtH3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2944 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2316 LSPFix.exe 1276 360safe.exe -
Loads dropped DLL 9 IoCs
pid Process 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 1276 360safe.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe -
resource yara_rule behavioral1/files/0x0009000000016f45-31.dat vmprotect behavioral1/memory/1276-33-0x0000000010000000-0x0000000010011000-memory.dmp vmprotect behavioral1/memory/2820-42-0x0000000010000000-0x0000000010011000-memory.dmp vmprotect -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\zyshit.cfg 360safe.exe File opened for modification C:\Windows\SysWOW64\zyshit3.dat 360safe.exe File opened for modification C:\Windows\SysWOW64\zyshit4.dat 360safe.exe File created C:\Windows\SysWOW64\lpmqjcath.dll 360safe.exe File created C:\Windows\SysWOW64\zyshit2.dat 360safe.exe File created C:\Windows\SysWOW64\zyshit3.dat 360safe.exe File created C:\Windows\SysWOW64\zyshit4.dat 360safe.exe File opened for modification C:\Windows\SysWOW64\zyshit1.dat 360safe.exe File created C:\Windows\SysWOW64\zyshit1.dat 360safe.exe File opened for modification C:\Windows\SysWOW64\zyshit2.dat 360safe.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\360Safe\360safe.exe d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe File created C:\Program Files (x86)\360Safe\LSPFix.exe d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\360Safe\LSPFix.exe d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe File created C:\Program Files\dnf\lpmqjcath.dll 360safe.exe File opened for modification C:\PROGRA~2\360Safe\360safe.exe 360safe.exe File created C:\Program Files (x86)\360Safe\360safe.exe d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360safe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSPFix.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 360safe.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 1276 360safe.exe 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1276 360safe.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 2316 LSPFix.exe 1276 360safe.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2316 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2316 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2316 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2316 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 30 PID 2480 wrote to memory of 1276 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 32 PID 2480 wrote to memory of 1276 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 32 PID 2480 wrote to memory of 1276 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 32 PID 2480 wrote to memory of 1276 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 32 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2820 1276 360safe.exe 33 PID 1276 wrote to memory of 2716 1276 360safe.exe 34 PID 1276 wrote to memory of 2716 1276 360safe.exe 34 PID 1276 wrote to memory of 2716 1276 360safe.exe 34 PID 1276 wrote to memory of 2716 1276 360safe.exe 34 PID 2480 wrote to memory of 2944 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2944 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2944 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2944 2480 d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe 35 PID 2316 wrote to memory of 2556 2316 LSPFix.exe 39 PID 2316 wrote to memory of 2556 2316 LSPFix.exe 39 PID 2316 wrote to memory of 2556 2316 LSPFix.exe 39 PID 2316 wrote to memory of 2556 2316 LSPFix.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\360Safe\LSPFix.exe"C:\Program Files (x86)\360Safe\LSPFix.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Del.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Program Files (x86)\360Safe\360safe.exe"C:\Program Files (x86)\360Safe\360safe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe c:\Progra~1\dnf\lpmqjcath.dll Start3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\PROGRA~2\360Safe\360safe.exe3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D6EE0A~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD55a20d75fb0c6243004c28a32b10c1f9a
SHA1c15459d529b74bcab11dc6f9d0799deaba5666d7
SHA256509f52cf2f4cd6bce012bf14fe90b8ab3fec4133802516d49d2571d096df442c
SHA512b9bcd15eedf51db9320542c89c3dfe62492c60e99e80b2ab41b275fc8cc08abb69db20dacf40ce19907082ae930ee50c5215bca406473903726dddad5f8fc4eb
-
Filesize
289B
MD5bd9ee3b37c080a816c49de5c01c24d74
SHA12ea1c9ab889389ed0a3f376e50c7ff2f93e47c24
SHA256dba03ec1089be1c764e6f3a9787c7996e96fbd056abc2b4e3906c1670dacbb09
SHA51281d75be9ed8f36cf591842f62e4ac5ef1b9178ae461a177145cf46b52769daa79717f6f8e0b76221873c88b2fb940a3ffb58cbc8142d7f93e3c1860fdcc0aaf3
-
Filesize
156KB
MD59c3263a4e82aa62df5b86eb0a1dae5bb
SHA1de7585b23aba1846ceb64ad36e05a79249262389
SHA256cd5982a6b3c0010d70d76fbce9315a79490572026fb4810b29d170fb253a466e
SHA512be19242bde337dce0156bc8054424e12cdd673e8c6e501d2324ed509b6201f68171beac9b783063dbbeea5ba0459da25f836e96f2fa99528b2d263cfbf554b9e
-
Filesize
64KB
MD54e9ad126b4dfbc4e5675adc1952a88a0
SHA1625b3d4388c2d99393256ac7aed9e0169b5f9d2d
SHA2568e63217066afa9b52ae644da2d4e41c9c50c40659cf24ec2a36778917376d167
SHA5121e6753b78d23591909a41065d65ff2e4dbf7be29616ebe49c7d64a4881a4cbe6fd24703a4f7c4d0f6d29d8dfcc39b58ab94f8bb049edc82d5ad651a1c479945b