Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 16:06
Static task
static1
Behavioral task
behavioral1
Sample
dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
dc934a8ebaa131044c6d2cc89a0924db
-
SHA1
0ed4478358f60deaa99b7b5ca2e5e92f71363e74
-
SHA256
8ac313b05ef8bf20d88e471ce6128287b76c2309436ca66bf4ddd7707d11e660
-
SHA512
045439f6f54ee418d955e645762e157021bdc75eaec7db6d29a3eb2f6a347346926659c903f30d84c91754609248386f5492e95424c46c84e580504a805f76ac
-
SSDEEP
49152:UrTt1IaV9AgZKA5acoIKwg8ydnKCgl+jSVh5APgUzStr:UrB1IaVmgM8accPe+KWCr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2012 isass.exe -
Loads dropped DLL 3 IoCs
pid Process 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 2012 isass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2796 reg.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 2012 isass.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2012 isass.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 944 wrote to memory of 2012 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 31 PID 944 wrote to memory of 2012 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 31 PID 944 wrote to memory of 2012 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 31 PID 944 wrote to memory of 2012 944 dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe 31 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2012 wrote to memory of 2640 2012 isass.exe 32 PID 2640 wrote to memory of 2688 2640 cmd.exe 34 PID 2640 wrote to memory of 2688 2640 cmd.exe 34 PID 2640 wrote to memory of 2688 2640 cmd.exe 34 PID 2640 wrote to memory of 2688 2640 cmd.exe 34 PID 2688 wrote to memory of 2796 2688 cmd.exe 35 PID 2688 wrote to memory of 2796 2688 cmd.exe 35 PID 2688 wrote to memory of 2796 2688 cmd.exe 35 PID 2688 wrote to memory of 2796 2688 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\isass.exe"C:\Users\Admin\AppData\Local\isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2796
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD5330d9a81f808b287b999c76c1d932ed6
SHA195146f6f084c39395e2fae892af065e85fddb8d1
SHA2564e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f
SHA5124abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812
-
Filesize
537KB
MD5ddd81422a680c7c089af0a939276f71d
SHA1f96327e4c058d5c5717c5916ae9eee8c0bad9092
SHA25674e532beb9e3580c5bb911d1954791a68f33094e19e7674ce9371f1684537b9e
SHA51275109eb9bdd43f3354633704fbb4b073584e8a6ec88ec55db193e38c96468f235b93117beb32168f716cba04dd3485e85b74c14b882d99340e3abab9e9218fb2
-
Filesize
168KB
MD56a83a047bf8ef9d04dcc2bb822e424c0
SHA1ce699879cb1120f81dd94e9849e608d66cad1520
SHA25635684a659874eaef5ad758afb9382949722a0bd57624b1f5fe30f05be97cfaee
SHA512cba4d0d16b76657e2f5b9800aad21346fd28095cac7661081f8bf51a9dc677179fe5e37490cbd04641992d6eba81c66719c1b4002466b2d701283bb07184c140