Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 11:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe
-
Size
312KB
-
MD5
ed7b43b9fa826550f49e89e1c29b4771
-
SHA1
4f1980f203d2223f00e20d68fe966f2352a186c5
-
SHA256
c85d036dfadff22ab5696e81add0902c6fc66b5ef7f8bf86a31fc4db5b031557
-
SHA512
2c39551fed4e9816c391d8d2ac32af85cd52a559abafa6cf34364066e843f1c18a1a69ad29dd46ac52b734df8e5fde509c1e750dc2f4b8743682eeea75151341
-
SSDEEP
6144:el7ZvTlIpr1f+XqO5aOmSGFDbeOjLPmU2gF:epTlIB1f+55SpNPmU7F
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sbcul.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 sbcul.exe -
Loads dropped DLL 2 IoCs
pid Process 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /d" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /m" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /b" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /h" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /a" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /w" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /r" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /n" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /x" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /l" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /u" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /z" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /c" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /d" ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /g" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /f" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /p" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /e" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /y" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /t" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /k" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /q" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /j" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /s" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /i" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /v" sbcul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbcul = "C:\\Users\\Admin\\sbcul.exe /o" sbcul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbcul.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe 2760 sbcul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 2760 sbcul.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2760 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2760 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2760 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 30 PID 1924 wrote to memory of 2760 1924 ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed7b43b9fa826550f49e89e1c29b4771_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\sbcul.exe"C:\Users\Admin\sbcul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5dc13b6963b0d61d8b90bfc3bc100b71e
SHA15e2b8a78df7b1d72ac78b57f13deaf71f302d32e
SHA25640e01e7f5343af36041a95105d03b453d4cc02cd440634e1f9a86d182ed4dbeb
SHA5120ef7d4d28e7fcbe8e1728a27f66c08b3680da3a6aa5d687a02e2a9a86c7b2b15eedd4eb85618c70fde15d0e90c34302f188486e18c6821d2ed01762e9d28b657