Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 07:09

General

  • Target

    ddec4988a3bd2fae50c55e0bd846d6bb_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    ddec4988a3bd2fae50c55e0bd846d6bb

  • SHA1

    e264373709c947ae5656a9f1e237e9e7b0e6812d

  • SHA256

    0fe962a35ab5173833fc3a176425fbaa22f6239af54ee729c3c1f2b017732b27

  • SHA512

    2958b3b81ec6e1f155d5b68212b4153993759c966ab83e3ae98be2cb8d653a1c401f6fdfedc8893639d319cc4fd07cb6ab9aee6e6da1eaf2ba1816704d841df2

  • SSDEEP

    3072:+v75FPhkhjd1Hz0IeTsjXcvnHZi1r5w/ihLkbM6HVJMVH6JYTdUAgQt6J:GHZsdlzkwDU4w/iyM6HG6JYxVC

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddec4988a3bd2fae50c55e0bd846d6bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ddec4988a3bd2fae50c55e0bd846d6bb_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\vssoik.exe
      "C:\Users\Admin\vssoik.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\vssoik.exe

    Filesize

    252KB

    MD5

    3582c99c917805ad6eee1d4baf1dd0a9

    SHA1

    ef9ae79d83859b8e29f175346e14ceb239a706ce

    SHA256

    d442d56c86841d164fd9ef10ef309d6a8a0c3febe88b5dc6cdaa944ac0e67ff7

    SHA512

    97c1fbc24010aaa5d2044e1a94b2fe300d8480a4b0e3db13bfafe7ed9f950105afec12cc4c007ea546941ea1e42e04d52c48c4278dafc5b71aecf2593710d8ed