Analysis

  • max time kernel
    142s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 05:56 UTC

General

  • Target

    eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    eab5f1835ca428168ad81c9fb0599787

  • SHA1

    c49a843c76af33e531aef759d43461319cfb2f52

  • SHA256

    07781a866734d4d058734f1520164ad318b8ef2b1a20920382251eea7d09926e

  • SHA512

    1be6459879f7456db46c4b04e800e50d97380c9a2a1756f6b06b7dfeda09f3b5730159f2375674150c6b55738a97ab04ad2196179b7ff48ae5fd250dbebce414

  • SSDEEP

    6144:32HjogGMqUSErB32IpxsgFFE8rkKAlKqN87GxQMEwpfY6I0uoQf9TNAGgDxC6O5:GHGMqUDFpxn7ESq0Gxqw5hDQfVcNO5

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab5f1835ca428168ad81c9fb0599787_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Delete.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3012
  • C:\Windows\systrm
    C:\Windows\systrm
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of FindShellTrayWindow
    PID:2844

Network

  • flag-us
    DNS
    www.135lf.cn
    systrm
    Remote address:
    8.8.8.8:53
    Request
    www.135lf.cn
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.135lf.cn
    dns
    systrm
    58 B
    111 B
    1
    1

    DNS Request

    www.135lf.cn

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Delete.bat

    Filesize

    214B

    MD5

    1c5735c55574e11cef60e9126d7c2bcb

    SHA1

    fbe4a9323a422c35c3434ba08adb2a513d4b2a01

    SHA256

    a5959a8ad64f79e93f91a030c17a42e25af1e393adbb64b982610ad8b602399f

    SHA512

    b2680ab7d4fcc6623ff579065196e3a44e78257e5d9167ef62fd7fc3200b094173f2b4dde70f736e0823099c3cddcde2b533d17d457c6b8306e14f597f279766

  • C:\Windows\systrm

    Filesize

    400KB

    MD5

    eab5f1835ca428168ad81c9fb0599787

    SHA1

    c49a843c76af33e531aef759d43461319cfb2f52

    SHA256

    07781a866734d4d058734f1520164ad318b8ef2b1a20920382251eea7d09926e

    SHA512

    1be6459879f7456db46c4b04e800e50d97380c9a2a1756f6b06b7dfeda09f3b5730159f2375674150c6b55738a97ab04ad2196179b7ff48ae5fd250dbebce414

  • memory/2008-0-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

  • memory/2008-3-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2008-15-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

  • memory/2844-5-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

  • memory/2844-6-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2844-18-0x0000000000400000-0x00000000004BA09F-memory.dmp

    Filesize

    744KB

  • memory/2844-19-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.