Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe
-
Size
132KB
-
MD5
ef109e318eac0febf15b25f850c79d4f
-
SHA1
4a41a4e6029f9ee640922cf13c48311a7c7bc9ed
-
SHA256
5a276f6be10c865870b8530bfe23d89d7d8849bccbe07a6552b95f3b888291b9
-
SHA512
668b63525b813b25de0df9174e5ca1f52088136d3fdda4f107022f21b0d2b0eaf60f6f209daca41d5813ec0373da70ed5ed3f52304d42386b1b6a325f1fc2f0f
-
SSDEEP
3072:ZVpq/s1jBK3dVMyppP21kJHGrLd7wDTHgWL3hPhSwhv:ZVpqkZGdaU2GG7WHgWLxpB
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wcsalaska.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsalaska.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsalaska.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7} wcsalaska.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionReason = "1" wcsalaska.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecision = "0" wcsalaska.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wcsalaska.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionTime = a01b7783de0bdb01 wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wcsalaska.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wcsalaska.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecision = "0" wcsalaska.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadNetworkName = "Network 3" wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\02-5d-69-46-0c-98 wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wcsalaska.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad wcsalaska.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionReason = "1" wcsalaska.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionTime = a01b7783de0bdb01 wcsalaska.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98 wcsalaska.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2972 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 2668 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 2484 wcsalaska.exe 2768 wcsalaska.exe 2768 wcsalaska.exe 2768 wcsalaska.exe 2768 wcsalaska.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2668 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2668 2972 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2668 2972 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2668 2972 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2668 2972 ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2768 2484 wcsalaska.exe 32 PID 2484 wrote to memory of 2768 2484 wcsalaska.exe 32 PID 2484 wrote to memory of 2768 2484 wcsalaska.exe 32 PID 2484 wrote to memory of 2768 2484 wcsalaska.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef109e318eac0febf15b25f850c79d4f_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2668
-
-
C:\Windows\SysWOW64\wcsalaska.exe"C:\Windows\SysWOW64\wcsalaska.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\wcsalaska.exe"C:\Windows\SysWOW64\wcsalaska.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2768
-