Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:56
Static task
static1
Behavioral task
behavioral1
Sample
eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe
-
Size
129KB
-
MD5
eab6164feb7d381e1562600465759fbe
-
SHA1
72b645113831a1560c01b424267b5ce5ea37618c
-
SHA256
0d6ce18f06c63db09a1691fec3b07c4995c7188fa4e31ee0b93f9c04c9f86f97
-
SHA512
9e5bdb1bba697f443330ec4dad6e9109e3a70ade1c9129b1259cf54532f52218bb1b470dca78815143635c89036acd79581edf6090cda874f2d364eb46de4aee
-
SSDEEP
1536:+q5TGp6BnjYkHIFp/Qgg2yIgznPb67VPVNJQChVO5Wcs24qz:+mkFp/Qgg3TznDENnhVO5Wce
Malware Config
Extracted
systembc
91.243.83.73
-
dns
5.132.191.104
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2752 whrs.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Test Task17.job eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2752 2948 taskeng.exe 32 PID 2948 wrote to memory of 2752 2948 taskeng.exe 32 PID 2948 wrote to memory of 2752 2948 taskeng.exe 32 PID 2948 wrote to memory of 2752 2948 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2512
-
C:\Windows\system32\taskeng.exetaskeng.exe {CDDD9572-3444-414A-8CB0-E289D57F6E14} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\ProgramData\ewnqf\whrs.exeC:\ProgramData\ewnqf\whrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5eab6164feb7d381e1562600465759fbe
SHA172b645113831a1560c01b424267b5ce5ea37618c
SHA2560d6ce18f06c63db09a1691fec3b07c4995c7188fa4e31ee0b93f9c04c9f86f97
SHA5129e5bdb1bba697f443330ec4dad6e9109e3a70ade1c9129b1259cf54532f52218bb1b470dca78815143635c89036acd79581edf6090cda874f2d364eb46de4aee
-
Filesize
214B
MD5f923f291ff386d639bdfc00728bc394f
SHA1e15af4c270a0492b67ea1db74a763b9a5deb2ca5
SHA256155f60cb4e67514e298b084e55535cd1cc5c1a4d32eab60667b854cb0a8da3c2
SHA5123258b5573189f33675014365e8834108a1aed67f4e462cdfaee641c1a0d833c13e07b06f904e530423445bc2d82d527a8c5d65bf484096667a7ceff5f16403a5