Analysis
-
max time kernel
41s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 11:47
Static task
static1
Behavioral task
behavioral1
Sample
e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe
-
Size
328KB
-
MD5
e268d4d51db6cd652b38d723f9b0e2dd
-
SHA1
1bfd85b175c33e40e20ea899bcd41652e1b0bb26
-
SHA256
2ca4f6791dae06fe2d09d4240f53f2fc8761d37c3171558a4ebb50ec8dd18cba
-
SHA512
0c5d14b28d8daa1d8ef5cd79a67320fcc918928b58d6b50b36caf7cb33e9ebf61c4597869223c94b2267e27e1cb847fa67ea44b1c7e516f3417d3412a4cb1d66
-
SSDEEP
6144:Jz+izw2BtU4OlX2sxVypUBMelfHeSpLoWruZP:Z+izwhmsxw4MamS5rq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2732 mypic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mypic.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe 2732 mypic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2732 mypic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2732 2404 e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2732 2404 e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2732 2404 e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe 32 PID 2404 wrote to memory of 2732 2404 e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e268d4d51db6cd652b38d723f9b0e2dd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\mypic.exe"C:\Users\Admin\AppData\Local\Temp\mypic.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5df4cc1057d7a3dd2e8612e37a89fef00
SHA1b9c3aa169c47861e7fd13f88820e9ba90338ab38
SHA256cdcd3729090ac6b0d556311e3b2e579fd4c6eed845332556cc5766b3758f53ae
SHA5120567f2119c56b2056c40093808d68d2268434a919ba601052324cdc3c280a70ba4b42bc348316786585447312fdea2e4f4732f7eb31f1e79642a2fff247f4a77