Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 20:52
Behavioral task
behavioral1
Sample
e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe
-
Size
22KB
-
MD5
e9f308aaa2c3a2f8170fb8d0a0b852c6
-
SHA1
bfb2fa5fd6528565af0cafb959d9f729ee559bc6
-
SHA256
918db5e76ca50865924cac294e03b59ff8f20785edbf9656d948bbf364a8aa7e
-
SHA512
0fbbba2a7c31a4777cbac4bf77eade23d2d33ccaedbe1b7fe5827cba4da4745dab404618a674a956debf8e8e65676fe454dbf56970dd5c9cae81bb6d97e1b5e3
-
SSDEEP
384:0SNawH3lP/TO3542dmvPMrbKXrwP9YCyiQOK5M+1YBDNkokXXEkCH4:0SNzXl/a6vPyKXrwjQOK5MUSJmK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2160 SVCHOST.EXE -
resource yara_rule behavioral1/memory/2492-0-0x0000000000400000-0x000000000040D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2160 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 31 PID 2492 wrote to memory of 2160 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 31 PID 2492 wrote to memory of 2160 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 31 PID 2492 wrote to memory of 2160 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 31 PID 2492 wrote to memory of 2160 2492 e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9f308aaa2c3a2f8170fb8d0a0b852c6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\syswow64\SVCHOST.EXEC:\Windows\syswow64\SVCHOST.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2160
-