Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 02:42
Behavioral task
behavioral1
Sample
ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe
-
Size
40KB
-
MD5
ea6fe9fd65db717a567dddd195df694e
-
SHA1
5e4362840df553f4f31bce22362bd466a0b244ec
-
SHA256
e5ae185df66f3b9fc1cdb649e2b3024b388b0032e90ac97d935be13e342deb41
-
SHA512
90c05a4baec0c1ecd90e30b043fadf2dd940522b9ff1da8447ae20e029d1e2ee95385b0ca19833667a8340fab1f7943ca011f0d08c7f1f61142b9fec76a0bb6f
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHa+:aqk/Zdic/qjh8w19JDHD
Malware Config
Signatures
-
Detects MyDoom family 2 IoCs
resource yara_rule behavioral2/memory/1476-0-0x0000000000500000-0x000000000050D000-memory.dmp family_mydoom behavioral2/files/0x000a00000001da74-49.dat family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 1912 services.exe -
resource yara_rule behavioral2/files/0x0008000000023475-6.dat upx behavioral2/memory/1912-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-134-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-154-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-157-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-161-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-190-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1912-218-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe File opened for modification C:\Windows\java.exe ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe File created C:\Windows\java.exe ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1912 1476 ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe 85 PID 1476 wrote to memory of 1912 1476 ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe 85 PID 1476 wrote to memory of 1912 1476 ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea6fe9fd65db717a567dddd195df694e_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD55431b34b55fc2e8dfe8e2e977e26e6b5
SHA187cf8feeb854e523871271b6f5634576de3e7c40
SHA2563d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA5126f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
304B
MD5267ddfdbb8d492b25de208d84b290f1c
SHA19f57d9f19f25549e1232489a0c101a92e851de2f
SHA256ef1f87447ae1ab45548d2934cf0dbd15a32b86359ff9fccfa48d76c1badf6586
SHA5120709aa62d39d419d335183235dcf328e1dfe6997bd9bfbdeb01bb050df8dcab63ec2d4f46e4718ab389fa8e12af66dec2e3019c8871ac6e40927a25cb706c6b3
-
Filesize
40KB
MD509c6a5ad3a8d16fa391913a9ce736650
SHA1a12a61d2aaf8a070e0f2c5596acc14f8e1fdeb79
SHA25648b5801a00ab7327a320db1b581722466943fe896c70cc8aab76959353e6ba3b
SHA512afd819cfd7a26ba2301d2537b30146a7200ddfca8c762fd2677051405056d4d5a5201293194e48d380c579e8f85af178a5a84ed33041fa63443ed4f8a723248d
-
Filesize
1KB
MD5227916b769eae92597682d0c0bfd5fd2
SHA1f71794deece2e38eff8d5537301eaaca05ad413c
SHA25675ed898e96492e5bd93e1497df18602783d04e894ce0ab5d0722b96d6c4133b6
SHA512764aeaec2b0d1e124aed9444481b2b5f7fe9de6176102e79815616494f68b66691034b5222c18e68de0c42e15f711b531525027c380c7141c7e98afaea5d01e8
-
Filesize
1KB
MD52319cb60cb582a404a8bae8e7db5f7d1
SHA10b6863423169f3ba4869ab6e37ca3a5b0ef0bc12
SHA2569dee36beae1eab932a0d785e3646bfbf2446aa7e0a1073c2bff5e1fa5b5a05fc
SHA51278b91ccc89c5f9ed9dd8f25a818129ff7db3d142c3a3d775d8e74ed2415595ad97098d90d08152f5b104d4af4d89dcf9d2c242ca2b4a1dfdd370dceb51114d54
-
Filesize
1KB
MD5cafefed0d2a89905da9bf38f32caa1ea
SHA1f67c3dfe00b25e8f03380003711b4ec08104fffa
SHA256ac30c080e3cc93d94e9b6a30f8ed51129b42d4197c18ded9106d5d93187a5bd4
SHA5124d301f253ceb00b11db3bf365d36c182dc1e6ea15492557b321accfa06b72b7d3d8a745a6a745738350328d92384615d02983e35d1b32d4aef74ab8e61f68219
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2