Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
-
Size
262KB
-
MD5
ee0adcbb4c9e73acff811a53a736a175
-
SHA1
9d28c12722a4fcb3309911ee08ad0c30a8fbcbfd
-
SHA256
a65d733a1b72befa4b7e458b5088c4429955300c4576adb964bf65e2b30b8ea5
-
SHA512
bbafd6c51867ba8f484379d80c9d7a16af76d373698d079725af7f86c23a09a5e821789cdac8b6f9e950a2e4870b51cb8d0c4bc4fb6e13c9c2df9fd620c10bbe
-
SSDEEP
6144:SX8Gp+df0afmVTRMd0dpn94sLrNXel9rb98+MAnN:g8YkfXf4TRM094svNuzrb9ZP
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1940 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
siak.exepid process 2544 siak.exe -
Loads dropped DLL 1 IoCs
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exepid process 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
siak.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Acabut\\siak.exe" siak.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exedescription pid process target process PID 2092 set thread context of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
siak.exepid process 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe 2544 siak.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe Token: SeSecurityPrivilege 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe Token: SeSecurityPrivilege 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exesiak.exepid process 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe 2544 siak.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exesiak.exedescription pid process target process PID 2092 wrote to memory of 2544 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe siak.exe PID 2092 wrote to memory of 2544 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe siak.exe PID 2092 wrote to memory of 2544 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe siak.exe PID 2092 wrote to memory of 2544 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe siak.exe PID 2544 wrote to memory of 1128 2544 siak.exe taskhost.exe PID 2544 wrote to memory of 1128 2544 siak.exe taskhost.exe PID 2544 wrote to memory of 1128 2544 siak.exe taskhost.exe PID 2544 wrote to memory of 1128 2544 siak.exe taskhost.exe PID 2544 wrote to memory of 1128 2544 siak.exe taskhost.exe PID 2544 wrote to memory of 1180 2544 siak.exe Dwm.exe PID 2544 wrote to memory of 1180 2544 siak.exe Dwm.exe PID 2544 wrote to memory of 1180 2544 siak.exe Dwm.exe PID 2544 wrote to memory of 1180 2544 siak.exe Dwm.exe PID 2544 wrote to memory of 1180 2544 siak.exe Dwm.exe PID 2544 wrote to memory of 1216 2544 siak.exe Explorer.EXE PID 2544 wrote to memory of 1216 2544 siak.exe Explorer.EXE PID 2544 wrote to memory of 1216 2544 siak.exe Explorer.EXE PID 2544 wrote to memory of 1216 2544 siak.exe Explorer.EXE PID 2544 wrote to memory of 1216 2544 siak.exe Explorer.EXE PID 2544 wrote to memory of 1764 2544 siak.exe DllHost.exe PID 2544 wrote to memory of 1764 2544 siak.exe DllHost.exe PID 2544 wrote to memory of 1764 2544 siak.exe DllHost.exe PID 2544 wrote to memory of 1764 2544 siak.exe DllHost.exe PID 2544 wrote to memory of 1764 2544 siak.exe DllHost.exe PID 2544 wrote to memory of 2092 2544 siak.exe ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe PID 2544 wrote to memory of 2092 2544 siak.exe ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe PID 2544 wrote to memory of 2092 2544 siak.exe ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe PID 2544 wrote to memory of 2092 2544 siak.exe ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe PID 2544 wrote to memory of 2092 2544 siak.exe ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\Acabut\siak.exe"C:\Users\Admin\AppData\Roaming\Acabut\siak.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8d941466.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5df95362b915599b6881e248b642524b7
SHA1e72bba3d222d6a681717a1683727007fd5ec0ed2
SHA2569f5e6fa0d1a03d913e1d053c789f59c552843b30b860561a3de10bb67aa38757
SHA512e6ac5515ecba75f100a361b5677f341a0a68c929144df625ce94149a4827d92a5ce23aaeab3557d335d96ba441bf87b9564c3f34ddd19ede505e764eb54cbf21
-
Filesize
380B
MD582bc0bd0a072603d23fcc83eb2364d05
SHA1618cf75cabb799040fcd442a15770eec39313e4f
SHA2568db2fcbda0c4074bc8b466582ca5b6ee65f8451a81549d1ebb2880fd89e6b357
SHA51270ccdedf561f33a0ba0674263e900f05775c52648482c34e6ff9904aec7c59d504a90563e3216681f98ad2e4109af18209155fbe4c4a9109ef3cd6e5a93ab309
-
Filesize
262KB
MD57d5f9f44f45f4fa6bd6078c60cff4337
SHA11533fa29ec0441cbc119748358adf49fd77a1e6c
SHA2564ad2066e00769744b131b0899a47ddb5ace51ec094148dc0073c641bc427cef3
SHA51229ca1e62511abe44f86269dba1a0e287472f51a61cd9cbaf5e8ecf3a92c7290b62ac54de28dfe328ea8fc87780aa43db1787ec721a2e0b4d43f66d4d6cc97d11