Analysis

  • max time kernel
    6s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 10:00 UTC

Errors

Reason
Machine shutdown

General

  • Target

    eb189dbf12f06df432318b374ffa1dd2_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    eb189dbf12f06df432318b374ffa1dd2

  • SHA1

    6df67378a1fe8c11298ebf7bb7de16023e10c03a

  • SHA256

    f1da26793572f3be8eff3a50ee4ee4756aebc3de36f07b1a172d1000471aa3cf

  • SHA512

    b0f9ee7535343f8a71f74939445b606e549d189bee98fae970b0ee68684a16a6c40bc2ba9713a1cdde6e32c6a2f73604309d1a1f68fe8182960b15497b2e3935

  • SSDEEP

    3072:GLjKGBRCtA6D6lMOCqYry1Shx0YPLgo47Y:RCCtZhvy1ShNI7Y

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb189dbf12f06df432318b374ffa1dd2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb189dbf12f06df432318b374ffa1dd2_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3048
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1040
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1040-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB

      • memory/2764-6-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB

      • memory/3048-0-0x0000000001001000-0x0000000001002000-memory.dmp

        Filesize

        4KB

      • memory/3048-1-0x0000000001000000-0x000000000101A000-memory.dmp

        Filesize

        104KB

      • memory/3048-2-0x0000000001000000-0x000000000101A000-memory.dmp

        Filesize

        104KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.