Analysis
-
max time kernel
139s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe
-
Size
376KB
-
MD5
da5b6491aecd80b669fbdd827849240c
-
SHA1
2ef8ec480b38552d6bd33771e880a7aabb5d51d4
-
SHA256
28c2eca9a1eaf79aab861620a512481c174357053e5efa95e3760e8478b3b950
-
SHA512
4031af5a7ea7db496605505077fc32550cb9064c9b5eba28d1573a55ba6136f3d91dee17b3656cf28be0f6f76f53dc59458b95d433025d399c4b3fcfeb30ea36
-
SSDEEP
6144:m7dLJ36f/Qxa3AJFuK6YFCXtr575sDGopDyxGS9Y7iISCNrnFFa1w:mL6fYxeOFVF6trPwhfbTa
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2568 aH01300JbFoP01300.exe -
Executes dropped EXE 1 IoCs
pid Process 2568 aH01300JbFoP01300.exe -
Loads dropped DLL 2 IoCs
pid Process 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2976-1-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2976-4-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2568-87-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2568-95-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2976-161-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2568-163-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2976-197-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2568-202-0x0000000000400000-0x00000000004C3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aH01300JbFoP01300 = "C:\\ProgramData\\aH01300JbFoP01300\\aH01300JbFoP01300.exe" aH01300JbFoP01300.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aH01300JbFoP01300.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main aH01300JbFoP01300.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\zzy:\slyhj75mkksdgdx_in_mspe da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\Temp\zzy:\slyhj75mkksdgdx_in_mspe aH01300JbFoP01300.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe 2568 aH01300JbFoP01300.exe 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 2568 aH01300JbFoP01300.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe Token: SeDebugPrivilege 2568 aH01300JbFoP01300.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2568 aH01300JbFoP01300.exe 2568 aH01300JbFoP01300.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2568 aH01300JbFoP01300.exe 2568 aH01300JbFoP01300.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2568 aH01300JbFoP01300.exe 2568 aH01300JbFoP01300.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2568 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2568 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2568 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2568 2976 da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\ProgramData\aH01300JbFoP01300\aH01300JbFoP01300.exe"C:\ProgramData\aH01300JbFoP01300\aH01300JbFoP01300.exe" "C:\Users\Admin\AppData\Local\Temp\da5b6491aecd80b669fbdd827849240c_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5dcf1dcc4b5a8c2fc4f19d5967c0ab60f
SHA1bc8195325bce905112f6cc1f7bfcf6bf528f5138
SHA256c84bfd49a8c28b342aee26dd4c49ab7b9c4dfb1b197d638b791567b021fa7c58
SHA5124b0b81e4ff8030fdd6c1567e2883636a04094936bfbe65455f56e286f54d8c6e3a7d29a06b740ef0ec6a0dc82310fd7da61554439ce372d9e20a46b326246fd7
-
Filesize
376KB
MD5d3720aee9cfaf9077570bffc0d1ae45a
SHA13b21ef20de1ff44d6f189105996aeea83fa95109
SHA256d639d8173bf1c437523a5787f3a3f88cdcfaba4d37fa784394829e51a6582563
SHA5127c081702e8c02568d48853bc7e099a4a3ef21965d1de6c1611a7a4da9fb4183cc7a6e0365cc8982424ada0cf5f5b5c009ddb72f568ece1aed21f0596555ff9d8