Analysis
-
max time kernel
142s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe
-
Size
750KB
-
MD5
eab2bb0ef5b0f3848cc64506655dc4d7
-
SHA1
561385996f1739ea6bfaac0a7cbf27698bddfb7f
-
SHA256
3a913114cba8e4160c18ff483bd15c1906615facd1da1e34335210f56075ef9f
-
SHA512
dbfb2c04a0884a26470ae09b15c5bda22ad066e0e2f75e33a18e5af501584420050820caf2fc50049eaa54471b6119b1569b9e0bdd33cf7b77e6d1f638f47b90
-
SSDEEP
12288:4upCHIvNfPVUbPVIAkDYBGRqnRyktfuoBCzWsdPTDPfJ4F3Z4mxxZo3ABt4QCde5:xpKIxAmuBGRWRyktpK1dPTLJ4QmXZQup
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2880 1EXE~1.EXE 3000 RunMgr.EXE 2112 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
pid Process 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\RunMgr.EXE 1EXE~1.EXE File created C:\Windows\Hacker.com.cn.exe RunMgr.EXE File opened for modification C:\Windows\Hacker.com.cn.exe RunMgr.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1EXE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RunMgr.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3000 RunMgr.EXE Token: SeIncBasePriorityPrivilege 2880 1EXE~1.EXE Token: SeDebugPrivilege 2112 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2112 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2880 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe 30 PID 2148 wrote to memory of 2880 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe 30 PID 2148 wrote to memory of 2880 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe 30 PID 2148 wrote to memory of 2880 2148 eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe 30 PID 2880 wrote to memory of 3000 2880 1EXE~1.EXE 31 PID 2880 wrote to memory of 3000 2880 1EXE~1.EXE 31 PID 2880 wrote to memory of 3000 2880 1EXE~1.EXE 31 PID 2880 wrote to memory of 3000 2880 1EXE~1.EXE 31 PID 2880 wrote to memory of 2632 2880 1EXE~1.EXE 32 PID 2880 wrote to memory of 2632 2880 1EXE~1.EXE 32 PID 2880 wrote to memory of 2632 2880 1EXE~1.EXE 32 PID 2880 wrote to memory of 2632 2880 1EXE~1.EXE 32 PID 2880 wrote to memory of 2768 2880 1EXE~1.EXE 34 PID 2880 wrote to memory of 2768 2880 1EXE~1.EXE 34 PID 2880 wrote to memory of 2768 2880 1EXE~1.EXE 34 PID 2880 wrote to memory of 2768 2880 1EXE~1.EXE 34 PID 2112 wrote to memory of 672 2112 Hacker.com.cn.exe 37 PID 2112 wrote to memory of 672 2112 Hacker.com.cn.exe 37 PID 2112 wrote to memory of 672 2112 Hacker.com.cn.exe 37 PID 2112 wrote to memory of 672 2112 Hacker.com.cn.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab2bb0ef5b0f3848cc64506655dc4d7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1EXE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1EXE~1.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\RunMgr.EXE"C:\Windows\RunMgr.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del %SystemRoot%\Debug.exe3⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1EXE~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD526352054385070eb54ed35f106011c45
SHA168c86412a280a109f9ac3b662aa05654b40e5220
SHA256180aeccac2b2e162a27a7465adb12cdc0d906e9cb951f1b6e1d6d744945213ce
SHA512a2c5f602432bc9b40f1c4daef2f7a84f1b8d7e0f65c0a875551fb762c15216e973c6a3b2e0309e26d7970522bfbf5942f2148edf8382c400b2c1f20766688235
-
Filesize
428KB
MD5892360f7cb280d61e64608d1626da691
SHA15465140d70dca843b6552575db3332900e08748e
SHA25661ae9484b94614f0faa4cc29ec24a544b5d355314b4ae54c9b91bb6dba592570
SHA51277eccebe235932c12e6b8a878f8ca3e700fd83fa6fe15afb5761ea5e04e0042f68c35f2db30720dc47fcb1efe77855fc3fac92cc21637d512406a8129f050ef3