Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
-
Size
85KB
-
MD5
ea7ee02e2f4c46062b37d80748ed5d86
-
SHA1
08c9caf57077a4e96d5cb0dff1a7ca02e3ea0283
-
SHA256
43b84b19a518850837a68b4fef8154acaa859a60aad052c872177346be0f1ff1
-
SHA512
49b20077e0a37183b514556ac7e155d3dcdd2c8022cdabf33313249d56eee5904e553e962d15f824bb5af818d80f21e4e84ee60ab0157d03b9dda9efe670e6f4
-
SSDEEP
1536:OvTu6HYjXgHgXfzao2fgUwr+PG0F0b2eo3MBdweVKY/UfoJ:AYMHgYc+f0b2H3MBd/r
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2836 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 co39e.exe -
Loads dropped DLL 2 IoCs
pid Process 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{82EFB4B7-B92F-B848-DD4C-3A868D0742BE} = "C:\\Users\\Admin\\AppData\\Roaming\\17488\\co39e.exe" co39e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2292 set thread context of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe 2860 co39e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2860 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 31 PID 2860 wrote to memory of 1104 2860 co39e.exe 19 PID 2860 wrote to memory of 1104 2860 co39e.exe 19 PID 2860 wrote to memory of 1104 2860 co39e.exe 19 PID 2860 wrote to memory of 1104 2860 co39e.exe 19 PID 2860 wrote to memory of 1104 2860 co39e.exe 19 PID 2860 wrote to memory of 1164 2860 co39e.exe 20 PID 2860 wrote to memory of 1164 2860 co39e.exe 20 PID 2860 wrote to memory of 1164 2860 co39e.exe 20 PID 2860 wrote to memory of 1164 2860 co39e.exe 20 PID 2860 wrote to memory of 1164 2860 co39e.exe 20 PID 2860 wrote to memory of 1192 2860 co39e.exe 21 PID 2860 wrote to memory of 1192 2860 co39e.exe 21 PID 2860 wrote to memory of 1192 2860 co39e.exe 21 PID 2860 wrote to memory of 1192 2860 co39e.exe 21 PID 2860 wrote to memory of 1192 2860 co39e.exe 21 PID 2860 wrote to memory of 1228 2860 co39e.exe 23 PID 2860 wrote to memory of 1228 2860 co39e.exe 23 PID 2860 wrote to memory of 1228 2860 co39e.exe 23 PID 2860 wrote to memory of 1228 2860 co39e.exe 23 PID 2860 wrote to memory of 1228 2860 co39e.exe 23 PID 2860 wrote to memory of 2292 2860 co39e.exe 29 PID 2860 wrote to memory of 2292 2860 co39e.exe 29 PID 2860 wrote to memory of 2292 2860 co39e.exe 29 PID 2860 wrote to memory of 2292 2860 co39e.exe 29 PID 2860 wrote to memory of 2292 2860 co39e.exe 29 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2836 2292 ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe 32 PID 2860 wrote to memory of 2332 2860 co39e.exe 34 PID 2860 wrote to memory of 2332 2860 co39e.exe 34 PID 2860 wrote to memory of 2332 2860 co39e.exe 34 PID 2860 wrote to memory of 2332 2860 co39e.exe 34 PID 2860 wrote to memory of 2332 2860 co39e.exe 34 PID 2860 wrote to memory of 1784 2860 co39e.exe 35 PID 2860 wrote to memory of 1784 2860 co39e.exe 35 PID 2860 wrote to memory of 1784 2860 co39e.exe 35 PID 2860 wrote to memory of 1784 2860 co39e.exe 35 PID 2860 wrote to memory of 1784 2860 co39e.exe 35
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Roaming\17488\co39e.exe"C:\Users\Admin\AppData\Roaming\17488\co39e.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp41039126.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1228
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD56f18a9b6254cb125d9e1b371ab4ffec6
SHA17d2519dd4b69e738a433416267fe90aeb4f0686c
SHA25609b33533e36eded2df209d21a93b551408f650df4e464e06d554f6859c51f4ec
SHA512fa8d6b61cd986ce4cdd7efa9307e1742ee21f156de19ef58f146457b026e884edb9c43a7f3992c73fb6cae672f9ca832609df95f8219a07b00af193b914f49e4
-
Filesize
85KB
MD585f94e83d3ded29a2d7447eaa8b57ef4
SHA1df33fa9aa14448b0e79991a970c13c7c4ba9f542
SHA2566fce25655e2c2d36b390cce43fd9c5ea6117f29029976915d4358a7684f61f77
SHA5123073a31a6aeacb5fdafbd879bed92d50ae6f816dc75f48ae4744e0f105e1ab27c9cdfb18efaf4f33e450a0361f9e1e5e2766bbc8e3c78d2b23014380495c5d6d