Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 12:52
Behavioral task
behavioral1
Sample
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe
-
Size
9.7MB
-
MD5
e038ed6403349984198eaf576099eaa0
-
SHA1
e5325adc058604bb09aa29904b79918a1f0fee37
-
SHA256
caae4a687cd5d377a4d9429c1a66323a3e06cf556abffb2e4f663e1ea54c4c54
-
SHA512
f0f94d65f2cb06778aed46245ba5143ad40fe123916a2146d883fa8f3dfb194a5f37da752b9b5f18f251791fe202ea7bb2061e143f2e4bf8b585c5be4f381e57
-
SSDEEP
196608:LHZ4TlJPa6z4J5qgD4ImjXEMGBO7oIrkBwcrFSp82giE2tBx1tmu:LHZQluWTKOzrkB3if
Malware Config
Signatures
-
DemonWare
Ransomware first seen in mid-2020.
-
Loads dropped DLL 35 IoCs
Processes:
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exepid process 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exee038ed6403349984198eaf576099eaa0_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exedescription pid process Token: 35 1940 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e038ed6403349984198eaf576099eaa0_JaffaCakes118.exedescription pid process target process PID 1760 wrote to memory of 1940 1760 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe PID 1760 wrote to memory of 1940 1760 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe PID 1760 wrote to memory of 1940 1760 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe PID 1760 wrote to memory of 1940 1760 e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e038ed6403349984198eaf576099eaa0_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54eed72d58f1d7352fb9be1a2002426e7
SHA12d9541180e3d9f06c443893fad9590916fe75408
SHA2561e5e636e4eadff5ba9305db001fe208c5e58e64aa0f2df3239782b44a9f3c68b
SHA512d197e09312d0eaa4b32b0c49e963fc2862ff66c1e85e2a10d26ae4924c1d47a78eb24ed0a3ea4c9ac8e1f108b6ab2a95500e8cae19aa8daf98f6eb372949c1ae
-
Filesize
9KB
MD5fcd7dcbad7de985627e8d1eccc25f08c
SHA17f30beecd86604e9c98d6d71783948e02d889de6
SHA256058f5dbf63fe501d50e321510b533bfba2c9a1eba48cde4aeed32bf3a407df91
SHA5125b37d3d76f838b9811c515919234341d849d338d2ab19629e4b580d150bcdabe1c1075030abd006257f4b6269d973e7369063633adc575241597504cde2a4bf5
-
Filesize
10KB
MD5a7a24d9911dceae9d28cdc308eec4e63
SHA158e3eb48dbf78bc289f0f480ec53e6e084175bce
SHA256d357ec5d50a7a8fe1abbf5748b1f54be8f4b9e161143ebebdbaee83b903b8ffb
SHA512d07594f907fbe83b7b5ebf9d60604982a3292dcdbecb9525847f852ff91acb9613b48fa83d05af93e5ebdb8f140d20141d5a847fa3700c86d882571b5bb1fd8f
-
Filesize
11KB
MD555b592cdf27016af43e877f43ab91758
SHA1347a4fd58337c43c13538b09ecb725a4dc755a4f
SHA25650114511465527c886793abfbeda23c51f38b3e9ff1dbf092e610f31fcf097d2
SHA5126df268c92e84d83e214e9eae68276fb08227f0f14f5160dd7f8a8b337649bbe9c94da1b62ededb99c282f528bc7f1daa37292d44ca0f45b4d5889a205de7af71
-
Filesize
8KB
MD563c6a3638326bf2b917dab436ab7bf0b
SHA19557551add600abb4776d5e4b3911fe23334b7ae
SHA256febf9ff2b3cfc04921e67b925f300b55b483bdcf5d193b1d368d11b3fb4052ab
SHA512e6d3284fcea0de9926fe07e2df8d563a66b2e2b429d7ef952007268471232f90f277bc2dd5420337fa800f05581b7c210c2e97465b1e5ab0038ac1892b6f5280
-
Filesize
12KB
MD5639bd924f7d3a10900ae5ace6a40d09c
SHA1fc93645088150d53191c1bc7e610be21765b892e
SHA256d3f8c3dd0810fa229c778a01963382545c6be1019ce7a25498785cef2e091e61
SHA512c0bf5384bf1ef1a13bd5634a84a16e862c7bf63946c974d958ed4a2881ca1427036f1339ab78105030f0ece1db8bd7b57c219493603df6778ad82266e487a2d5
-
Filesize
9KB
MD5d8a94c8644b1975a720b7e117e0bd2f2
SHA13b20d8a1f064164739583ed73a97c9dee4fd29d4
SHA2563e0191a5c1cf0aa3434cd02fc5517f2c6a2bd719893bfa673bf76251db923746
SHA51274cf03c7d115ba7861b6a18c17f965a84ceec1852422a5a57b1d622c90e5806bb4802d88c64841fa97c1e29da7a5fc26fb0d7df7502954d0abbe9c150adb1f80
-
Filesize
11KB
MD5487f044a542471f4781bc3244705b6a7
SHA17988183c0e8c7223a59ae8fdf30c3d0964601d43
SHA25633bd520c30d48a308107b23217df40acd88d2feb038793be0d9f55a9321ac192
SHA512a76eee4e8d88903f3783787a7e64b092edaf3eba03fd49478cb5e53b2d01c1358901608c3dce4b541fd20ec7fe3a35517237cb5445afc723e45ed6b3fd592a35
-
Filesize
12KB
MD5ee029245aa016cea4dfd60ddf7fabe19
SHA1d0f94d6b598d39cbdd0e4aec4d663c89de8d4216
SHA2567aa0c91d8523afd7e473333414c1b60282a5f1b2534f409bd77cb1b26aef2598
SHA512e64b7236a865acaaee0dff55d7ff0388a5f15ecf2d5aa28817250d8fc45cc9947ba9d8842971a55c46ea948084b07594ae3edd185d0a7c01f915a99a9cdfd620
-
Filesize
15KB
MD5f3627778b31c24f7c48c4a0ddebc6803
SHA133679490734c47fbd1b349e66d19605f849b0e73
SHA256f88d4b23d7fecb949088d482878bf603116c739506bccceb100975cfea9ce4c4
SHA512bee006ac4fe2c3edc4a3f137171ed3a29f0413f5504185fbfda5f20fdc1b6cf8e22c1b50ab420626255d72c7b3e6c145edacf4ee7ee8fe241bafe1e4d35b459b
-
Filesize
17KB
MD5b10f6fc1e1b7e14a6a44885f81c23f3f
SHA10b59243d3e66ca4fd92242c17aec5220e8e545e6
SHA256d8852ee41dea77ad61fe9b78363cf7b68e3161ac0497b81f97dd3293437e959b
SHA512bd927821c94a2a147187f07a579b8a06abc4663302ceb4d44261e17feea423ce1fe3be9653d217e1b21a4f224d4950ded359accc4f69a76a750e2d8cd67ae2b0
-
Filesize
10KB
MD5e5fa274efa7adc27c5ef45a7733e1856
SHA1a64234fc1b9b942ff52105c712eddfff9db117d2
SHA256d90da5c724cc8acf783452f519e5804995427ccb4d9ddf74caefd7f59174ec20
SHA512a2fc26bd6766786d6d02acca3dacbbf3fbe15cf6a402d06b10bf32a1e20217dcbaa7798437e20229c5503d0295b186333e291893f4479654b24b6af32842c1e0
-
Filesize
10KB
MD5b7a8299db2f8584b2ea77c6755c61eac
SHA13ebda31729c887a9d0e9105adf6cd8884d90a7b6
SHA2567962619427da4b2f0579e8bba3558f1d5be8b835346bdc1f7252e134141f450e
SHA512e7a68b2f44295ee8ed4799cf63419b4567e788afe1f4eda3d02134fa56d5cf9dcc91e10c625aadc2a53804f593df646699eca0aea3c94eac8943999e7bf8237f
-
Filesize
9KB
MD5c3de03badcaaeb7c88449913c0603234
SHA145cbae884fa5f6c1d0ecc571482f9128073845d9
SHA256bf533f199f39e103ffd1400651f47c9ca1fedf439646adca7b9b6fc8beb972db
SHA512b9d2d51cd046bbe93f12243488a8612c63d1a94c02e35d453e632cfe7fd85265cb56e52d8015cf319c0728097acde7e5f3dddf886ef959b91c9bf51fe0cba342
-
Filesize
8KB
MD538cc6ce25590aee492a0a2b418d07467
SHA1c51e1e988c14687a8cea56f6665b08ce3ba14dee
SHA2562e3571b68d4f8b823ffd554c00498ff51239427b613ed330bc3a90919d9f8d18
SHA512ebe54fa6500f4b29fc621b024fe04e417d77343fc126df620150be28126c0e94ef07696f07795986b4131c32eec48af98f7d05cc80917802fd34e5aa068d10ec
-
Filesize
2.2MB
MD5eff06ac6ffa90a744e486e2c2e510502
SHA188ba6f079662cd0240334a39438589e3dc656c3e
SHA2563a11e998240b99682b792e54f02438bd52e5266c4accbde26e96d285fdd641ec
SHA512f0a8955773f4f84535e4e8fa8333a883cd6698262d20afe604df392dc8c931280abc08b2863f766b15628fac2e52d62dbfe9bc1537a56c65d827277c54785550
-
Filesize
84KB
MD5ae96651cfbd18991d186a029cbecb30c
SHA118df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA2561b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA51242a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7
-
Filesize
71KB
MD58cff8f580a47047643f1311f32a3252e
SHA1082d006e6897c4f903dcac331abf5753b1c635d7
SHA256f424b87c901d99b9c4c1ced6bd04a458816cd48ecad771e743f0d23bc1dddeaf
SHA512a3c5a6c5e288600da4de8b73e171a82ef48b0a843b853b97784eb2f0402f50efd02524f38be5e7bcf8db0b2ac705ee0b83a3911ab2887f3e390e14371a9e4d26
-
Filesize
105KB
MD5fb3961dd31ade7edcc40f97f2addbf7e
SHA14a5757d7170686ec80f25ee5c42a8a0c0788492d
SHA256b85dc8634e14e2542a54045283a58789988ed0803b3e8fe52eed6ae6a51d6389
SHA512bef2caf99101fc61b34a0fea349440db4778aebc34353cf26b70405863ca37aebcc6bcaf855899d4f565c2eb9fe587ad6397c412476ba19baa713a65319f25bd
-
Filesize
166KB
MD55a4bc6b4e2949a8c281302fdd1891fc4
SHA15e175d54c7f0f7cbe7f1ddf9ae245bef695ef88a
SHA25674e60f943b4033bfb7dcac1314467597c3f6c25fedc1db9d7926bf156b3fdd37
SHA512764b8c2ad23cb83fed0efbb101356dfb5a9cc4f317221aaedf61cfb3219ef6be73dfe656ab5085ace2585aef5289b6cacb993529c73b5d76a1a40477149f4078
-
Filesize
31KB
MD512abee03cda22a296d320789fecfdd22
SHA141aaa3e9047f00826cb679b64d3909136b1fd117
SHA25678b2dc72e12eb23b933e9ecf0e750416ff045d1fdf270330650f1ea05c0a4a19
SHA512d9e25788246b9670fc0240d3f7a9d1f49986cfa5946f1a81a50925e5749729aeb85016b6856dff27be73e45e1246a2f845d64f8fb507a1beb6d82ec1e065d5c6
-
Filesize
180KB
MD52a8ffabbec5e95f8a0ba388265fe57f3
SHA1c8d2842752038fe6e1c4f6e2aaf6d8dcbfb4b939
SHA2561fe26e0940eadb05bac03bbc553fd9011fdb0c067b8082b896c1d425d17f7542
SHA5126b2e51a16ee5ed50c0f2d3051a2ca3a9ce52ef664888f85eea13422af86103a6991ecd3a25fcc8cd2f588864ba8e04b6887f8b6a1445bea75cd4b6570169aee7
-
Filesize
65KB
MD50281b1c65f282411916fb936df7f7ecd
SHA1359fd8589c52b844d3b72cfd340afbb5f04a824e
SHA25689032e74eb1454bd3beb212a7ed0af0ef5d1589f06c793e8e49734de69f2625a
SHA512ae80647614c35b775a138183867edb692f656bfa99fe8a333de3e75db04aecd9936b6a1d8f770b5982e8d8239ff7d8f784fa3fde468c4ab97bc4ccb9795c3f1d
-
Filesize
56KB
MD51ba2aeef31d7cb6f7400d6f583dd95ed
SHA1545e1f1bbc24f7951e34422c95fe7105ac5e2037
SHA2565690a411c6168b9bf64840da64b6ebede7b69d5ee9d2949465525b78f89eb8fb
SHA512c85fddee55b55c9528a7cce43678371d4333e8f8550246547329261f737d5dc96d537686f3a7b377d4516014ab084cd5aa6ed431006a5b1e1f11bc94367fd189
-
Filesize
764KB
MD518816c32a26bc518a49ebbcb77a51025
SHA1a00edd4d813fa5efb0684802f207a8d20a40568f
SHA256ef5da1a9c895c340e70a2b44d1179077ad9aab08b5afc1376f01ded133c6471c
SHA5122940b08ee29f0558f400cdf6804db756a7780e44d84a41c68ed55bf55dd11eae2ca37da314a94a2b8e575347385450ffdc7dd4ceceeb8dd205d4a23621aaf93c
-
Filesize
1.8MB
MD525c4ebe7eb728eb40f9f9857849abad9
SHA1d907b46d6b5924a4d887438583145b8d2edda10c
SHA256ee585c57129d29c67d1f038ca35113ce34319bff1e8e163588e394dd096cd04a
SHA5129f43ac67d873d28415ce4bb6d5823f361c31a018e3a4d56f191f9c2503ea0e41a8c3b7ca7860bd1abc013e3827ec2d47d9577ddbc128e10a1c2ac78615f7c8a9
-
Filesize
162KB
MD5120e3801a03698bd7e5149c7aa356797
SHA1c5c7ff2fa7ad7ab4e053ddc28ad085d1825aa39e
SHA256150cd7ad573eee27ceccf284c41355c95c01dc503dd2b05d99a0d3d12394b608
SHA512fcff9f9e131ead76d6f5953bd819bfbb946bb0479b3b0b6799fed74b5987cbe4fdf4a24168297ba00618e2070c3b3741a5aa8d115389fff2ae8cfd26259adcb4
-
Filesize
3.5MB
MD57f0b34248c228bebc731ef155b50bbff
SHA167fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA2565de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23
-
Filesize
22KB
MD547ee76e87ab88ad190bd8b78029a4e8d
SHA1f14a7eaa48d056567dcda49622aa5b4a0ec862ed
SHA2568b4d0b17fdc351528abfccb8f0e56b7d10f9565fc1ecdc098e6a961c1eedbeef
SHA51254314054c683739995755588f79ce79bba824940244e3371edaf9467eb31f0226c84b42f1ee21e71fc01131b4aff95cc3729f1af2e3bd08aa40f1fe710d6b004
-
Filesize
1.3MB
MD5340e110b6536a5acb2c8ecab7aa8d7c6
SHA14d0086388cead2bc959ff9b4fa040198c95395a9
SHA256a30890660bfb6bc7b091f40c11fc5ed2bd4a9f4efa8903047245369853746773
SHA5128bf1cd96c987dd942bea8c8209d947dca7a0919df0225596b4a74f244348349e3da072c143f7c9acc32c9dace84e592a7ebc08112b36bafd901bd6993b9f2997
-
Filesize
1KB
MD55900f51fd8b5ff75e65594eb7dd50533
SHA12e21300e0bc8a847d0423671b08d3c65761ee172
SHA25614df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc
-
Filesize
1.2MB
MD5a64c183c4c2a672b8ae2496224258fa5
SHA14af12b49a2440b1dfa303a7144a74b4ac9fce250
SHA2565182eb6a38550cfd5312f694bb234c148cb4c073e46562753dea43540e9f12ef
SHA512571c134b6dcd6c19996cee1984e440395c624a78b4b3a58a643919fc575ece75f50cfd8e3b1f22b1dfe72c70343a427ae3eba5adb23ced2ecf1e00ac6af4f288
-
Filesize
8KB
MD55747e089484bfeee0f6bbe8ec1f96ea8
SHA1e65d20056702caa5b12ef3387ebbbddd7f1cc322
SHA256ba5d513713784b33762f32632cf0cd576e479ac5a6f835a3e67ae1947d41b5aa
SHA5129f26f4622775c4fa45458ceb7746a5b69042bd2f41873c853164e8bcc5dc5f3ec485a065e42e433af1175d99aff047bb84150d7723c7f41439fa41270c29ec47