Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 05:44
Static task
static1
Behavioral task
behavioral1
Sample
d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe
-
Size
361KB
-
MD5
d9b920663dab43dbd20f8f0554947cb5
-
SHA1
ee92cabd75c0bbbae52a7989dab0d36c49ead4b0
-
SHA256
8ab2bca76fcb9ffc7d6ae9cd2759a2dc6b7b88d6c481ebc376cc21cf94888fe8
-
SHA512
4b7b76510e5b6a0c798963f166d36bcb5e38f51772eefcd96396429feff4b6cd8a808e2252ff85916a218ae0ae4db42e295225b3345b18cf7dea09daa4f58495
-
SSDEEP
6144:F86TJmmYlnW2PRTTC0VRNhP/WsnxiP8Au0e:FxPYIWBhVPesno8r5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1928 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2304 ofep.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D828F808-3C80-AD4F-7E84-E44A5F96C757} = "C:\\Users\\Admin\\AppData\\Roaming\\Egyrut\\ofep.exe" ofep.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2536 set thread context of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofep.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe 2304 ofep.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 2304 ofep.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2304 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2304 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2304 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2304 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 30 PID 2304 wrote to memory of 1040 2304 ofep.exe 17 PID 2304 wrote to memory of 1040 2304 ofep.exe 17 PID 2304 wrote to memory of 1040 2304 ofep.exe 17 PID 2304 wrote to memory of 1040 2304 ofep.exe 17 PID 2304 wrote to memory of 1040 2304 ofep.exe 17 PID 2304 wrote to memory of 1068 2304 ofep.exe 18 PID 2304 wrote to memory of 1068 2304 ofep.exe 18 PID 2304 wrote to memory of 1068 2304 ofep.exe 18 PID 2304 wrote to memory of 1068 2304 ofep.exe 18 PID 2304 wrote to memory of 1068 2304 ofep.exe 18 PID 2304 wrote to memory of 1112 2304 ofep.exe 20 PID 2304 wrote to memory of 1112 2304 ofep.exe 20 PID 2304 wrote to memory of 1112 2304 ofep.exe 20 PID 2304 wrote to memory of 1112 2304 ofep.exe 20 PID 2304 wrote to memory of 1112 2304 ofep.exe 20 PID 2304 wrote to memory of 888 2304 ofep.exe 23 PID 2304 wrote to memory of 888 2304 ofep.exe 23 PID 2304 wrote to memory of 888 2304 ofep.exe 23 PID 2304 wrote to memory of 888 2304 ofep.exe 23 PID 2304 wrote to memory of 888 2304 ofep.exe 23 PID 2304 wrote to memory of 2536 2304 ofep.exe 29 PID 2304 wrote to memory of 2536 2304 ofep.exe 29 PID 2304 wrote to memory of 2536 2304 ofep.exe 29 PID 2304 wrote to memory of 2536 2304 ofep.exe 29 PID 2304 wrote to memory of 2536 2304 ofep.exe 29 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2536 wrote to memory of 1928 2536 d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe 31 PID 2304 wrote to memory of 1916 2304 ofep.exe 34 PID 2304 wrote to memory of 1916 2304 ofep.exe 34 PID 2304 wrote to memory of 1916 2304 ofep.exe 34 PID 2304 wrote to memory of 1916 2304 ofep.exe 34 PID 2304 wrote to memory of 1916 2304 ofep.exe 34
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1040
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9b920663dab43dbd20f8f0554947cb5_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\Egyrut\ofep.exe"C:\Users\Admin\AppData\Roaming\Egyrut\ofep.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2304
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa4595813.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1928
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:888
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5172d101896d0e77b575cb4eb4ea04835
SHA111336f5df93dee39cee78514c53f92dea6cab49a
SHA256ac300c27e8513e38218b98fa0dbf07143302896d261a7eaa8ed8851446dcbe45
SHA5122aacad96c4b7dc3ef395ec4b06d3590096cb1074c241e56780fc1e2f2ff1010d032dd0e88406329ac059fc035468c865004a245ada90052b44c82ea24e1d6df3
-
Filesize
361KB
MD5768d3dcc51c3f429f6461ccdda32ecda
SHA17b30a1eb1ed39ca5158e69bc6821262176aed324
SHA2562c69bdec63e7a059eafacd2e9ef7ac419491574e482d800363d984c582938ecb
SHA5127c4c64b64445e486f99999b570e80bf4dc69e42627a73f4836c15cdf886039356ceb0180bf88d483952d74c628364efaf24a460f014ffc0bd0b3361240758a49