Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad
Resource
win10v2004-20240802-en
General
-
Target
f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad
-
Size
26KB
-
MD5
f068700b57ac4da173074acb8b92fcfb
-
SHA1
47abb53863e97f5ff1a2b2b093c268c1ad79a27b
-
SHA256
ff6c6802b0d66a7818d2c3c3b0ab2ad709fe75bfb8ab14b197291f449ab0ccc8
-
SHA512
52be7471dc9c5d65eea7e622a09e50604c193b89502b23fb9405dd15fbc437f2f46fa0a88d8ecd7d66993f6e8450a0cff5b784ab6f76073dcfe395b8bd82e0df
-
SSDEEP
768:IcwiFpsBHUx61hMSdqxIs2uhjPz5Lz5R4:3eNUx67XHiPz5Lz5a
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\jad_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2920 1716 cmd.exe 29 PID 1716 wrote to memory of 2920 1716 cmd.exe 29 PID 1716 wrote to memory of 2920 1716 cmd.exe 29 PID 2920 wrote to memory of 2680 2920 rundll32.exe 30 PID 2920 wrote to memory of 2680 2920 rundll32.exe 30 PID 2920 wrote to memory of 2680 2920 rundll32.exe 30 PID 2920 wrote to memory of 2680 2920 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f068700b57ac4da173074acb8b92fcfb_JaffaCakes118.jad"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55b7e0bb53e3b49690288080732382b49
SHA135aa228e25fc197aa4d176cd4c9ba655255cf814
SHA2560188dd88bd3aa96f9b3451c86a28cf8482acc2f8b4831cc87d93b74ea1e2225f
SHA5121619310ede6682c16d13fe00fce53c053b8605a9436bd3613e1cf98e70f865a3b4f4d36e30126136db2532f8698ab77282301e791924e2c32731835d3697d430