Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 11:22
Static task
static1
Behavioral task
behavioral1
Sample
e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
-
Size
142KB
-
MD5
e25dbd139b267dc08eb10c6e5a9e03ae
-
SHA1
daa0dbed95076fd223f02239ef71c4c679d1b923
-
SHA256
d4821b868eca163f5d645847bbf224003ea3479a4e3f6f3f408d9ac7f5420a69
-
SHA512
97a636cbd5f0628cd3723afb25feec0c6d09a07577a9126d1b49c63cc63e11e97fd542763512f3c6a8bc041bed648d81c8d5d64294879712bcc6bfafe69e2c77
-
SSDEEP
3072:3bnfJk5eMXmCQgxHgiTDXbpxWLTVqT6/X2YyQhIP0+pt3ImKSsTjnB:3bRkYCrHg6TfWfVYkmYV8t3cSsf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2952 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1900 udag.exe -
Loads dropped DLL 2 IoCs
pid Process 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A3F6F898-D292-9675-AB66-51F843268974} = "C:\\Users\\Admin\\AppData\\Roaming\\Epox\\udag.exe" udag.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2404 set thread context of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udag.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\02BD2977-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe 1900 udag.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe Token: SeSecurityPrivilege 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe Token: SeSecurityPrivilege 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe Token: SeManageVolumePrivilege 2576 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1900 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 28 PID 2404 wrote to memory of 1900 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 28 PID 2404 wrote to memory of 1900 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 28 PID 2404 wrote to memory of 1900 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 28 PID 1900 wrote to memory of 1124 1900 udag.exe 19 PID 1900 wrote to memory of 1124 1900 udag.exe 19 PID 1900 wrote to memory of 1124 1900 udag.exe 19 PID 1900 wrote to memory of 1124 1900 udag.exe 19 PID 1900 wrote to memory of 1124 1900 udag.exe 19 PID 1900 wrote to memory of 1188 1900 udag.exe 20 PID 1900 wrote to memory of 1188 1900 udag.exe 20 PID 1900 wrote to memory of 1188 1900 udag.exe 20 PID 1900 wrote to memory of 1188 1900 udag.exe 20 PID 1900 wrote to memory of 1188 1900 udag.exe 20 PID 1900 wrote to memory of 1216 1900 udag.exe 21 PID 1900 wrote to memory of 1216 1900 udag.exe 21 PID 1900 wrote to memory of 1216 1900 udag.exe 21 PID 1900 wrote to memory of 1216 1900 udag.exe 21 PID 1900 wrote to memory of 1216 1900 udag.exe 21 PID 1900 wrote to memory of 1672 1900 udag.exe 23 PID 1900 wrote to memory of 1672 1900 udag.exe 23 PID 1900 wrote to memory of 1672 1900 udag.exe 23 PID 1900 wrote to memory of 1672 1900 udag.exe 23 PID 1900 wrote to memory of 1672 1900 udag.exe 23 PID 1900 wrote to memory of 2404 1900 udag.exe 27 PID 1900 wrote to memory of 2404 1900 udag.exe 27 PID 1900 wrote to memory of 2404 1900 udag.exe 27 PID 1900 wrote to memory of 2404 1900 udag.exe 27 PID 1900 wrote to memory of 2404 1900 udag.exe 27 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2952 2404 e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe 30 PID 1900 wrote to memory of 776 1900 udag.exe 34 PID 1900 wrote to memory of 776 1900 udag.exe 34 PID 1900 wrote to memory of 776 1900 udag.exe 34 PID 1900 wrote to memory of 776 1900 udag.exe 34 PID 1900 wrote to memory of 776 1900 udag.exe 34 PID 1900 wrote to memory of 1312 1900 udag.exe 35 PID 1900 wrote to memory of 1312 1900 udag.exe 35 PID 1900 wrote to memory of 1312 1900 udag.exe 35 PID 1900 wrote to memory of 1312 1900 udag.exe 35 PID 1900 wrote to memory of 1312 1900 udag.exe 35
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Roaming\Epox\udag.exe"C:\Users\Admin\AppData\Roaming\Epox\udag.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf238fa9b.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1672
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:776
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b50b2a7a73be1257d0f9213e0b4f11ba
SHA185f6b1fc6d84345c8a2c12db6be274fb68341391
SHA2566556655e5fa0e3ff12c14f3673aca120d14b3cfe3242e98e01b1cc9cf6382e46
SHA51213988cd0e0cbf759dfa5c50905434098a552fcf8f3108bd24d3be2382c7d41882e28b8390bc70068ee2c8cbb596a187488718a3dbe5296812457b8db1e0c3db0
-
Filesize
271B
MD58476ba0d917341d383ccf7ac0c54f0c0
SHA193e41885cdce71d838f058a63df35bda8559fb29
SHA256d0038df605141520c0339eb21798e9e442df5d62b1a99a663415a24bb9997525
SHA512a9892ec90abbb3a601778b960b2afb0fcdc1b6baa809494fbeb0cbdeb8849b355ede879764e6ab1bf566133519f150faf2a3237e23de8ce667169d9a934d7742
-
Filesize
380B
MD56caaf13000eec549e7677e8426fde5d7
SHA14e479cbc08a01f23a7afa39d41591f6dabe6723c
SHA256a3de0299487bc3a3475bf12a9475dc9dab3040f74485c820c62ca1843c66207b
SHA512cacc1fb83cfdfc4280362e88440a65a79235528cd3531aee48250b0e80203365423d63c53858aaf3feec745a6334130c1872b2d058d290b23bcf81b32988f8d9
-
Filesize
142KB
MD5e1585f01b3276ae48666e7040f99337f
SHA124cc44719a8b412f0d077ee6ff4f49e353e34d00
SHA2567b6f7071977b439dfa5e0ebc82702d25e34319770fda386a3c636ceab944801a
SHA51233069ea8c5afb051466bfb842e875ab525d27a5a66ed5a6fe6db0c27ff8e64416b49a61f5fefcd4e07129be7c699f496c369a62ca6dd9a4dd4dc135a8322c4c9