Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14/09/2024, 03:37
General
-
Target
df6afd22c123520768ceb5fa00d77011_JaffaCakes118.exe
-
Size
34KB
-
MD5
df6afd22c123520768ceb5fa00d77011
-
SHA1
c4443e03e40b06f9560be46853a4976a330da998
-
SHA256
777bda933889849eabeced11f1e545cb7f74cfb2139567ca6282f1f0903310cc
-
SHA512
624f21ce15f2f87ffa1fa6f0bd294091dfa569d7fd46a2d2becc12209f2dfc21a47736a6b09677d2d14e771cee911be5fec7e24a484ede278e06ce2f23680c87
-
SSDEEP
768:EF9wCA1f/KSE/7fE8aFbh2dqLUgvL89WrsSd6+U/v:EkCA1fiS27qFbhaqLUyL8IrsSd6/v
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df6afd22c123520768ceb5fa00d77011_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df6afd22c123520768ceb5fa00d77011_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\df6afd22c123520768ceb5fa00d77011_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5df6afd22c123520768ceb5fa00d77011
SHA1c4443e03e40b06f9560be46853a4976a330da998
SHA256777bda933889849eabeced11f1e545cb7f74cfb2139567ca6282f1f0903310cc
SHA512624f21ce15f2f87ffa1fa6f0bd294091dfa569d7fd46a2d2becc12209f2dfc21a47736a6b09677d2d14e771cee911be5fec7e24a484ede278e06ce2f23680c87
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
48KB