Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad
Resource
win10v2004-20240802-en
General
-
Target
ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad
-
Size
69KB
-
MD5
ec0a7ed8491b3f3986876ad16f097c47
-
SHA1
9f56adb66dd968a9c972dd251d1f3864224993e9
-
SHA256
0cfc8daced46d8024c96c7ab92409bb27aed29c8bca51ada8d494a0709be250d
-
SHA512
d23292e3d2b814ce30ee8f045a30824d59890cda04b0ea61c8fe0a4d128d0f6788464c5082d2ca1f5597e0541484860f1fca767d6bd286ba2a9e2bb7e2ba7073
-
SSDEEP
1536:exY2pxBWG1vAxhEopEs2kDcltw+sej56a:cVhYViODcLw+seFl
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2824 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2824 AcroRd32.exe 2824 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1648 2156 cmd.exe 31 PID 2156 wrote to memory of 1648 2156 cmd.exe 31 PID 2156 wrote to memory of 1648 2156 cmd.exe 31 PID 1648 wrote to memory of 2824 1648 rundll32.exe 33 PID 1648 wrote to memory of 2824 1648 rundll32.exe 33 PID 1648 wrote to memory of 2824 1648 rundll32.exe 33 PID 1648 wrote to memory of 2824 1648 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ec0a7ed8491b3f3986876ad16f097c47_JaffaCakes118.jad"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55e13cc82ff3955cb0cc278bce5bc513f
SHA1284f94a04e1a805b6ada944094c333c68dd9d7a9
SHA2566b0d7d0c8a0b0391ae1535d9cbd6efb48f58e6db10ee85f069aa487b31203d03
SHA51277f5b010ada8f14bcab17aedf1af29bb48ac3178673f5a2a2367cd52b9f70f7a3606151380e4877dc6396885eca4fa78b7261705c1657606048395706e799072