Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe
-
Size
267KB
-
MD5
f4e0dd059622255ab0d1cb050c562b6e
-
SHA1
2f8a3dff0a14a2520e991458ef8eb919a8bb34b2
-
SHA256
3f6a01122ba08bbb943b745c16ca35378f9555f11a37287a4bf45f5b0042618a
-
SHA512
1053eec8208630af2aee3a12ae9f6e73749ff94587600c436d6e2776af5a02938bb8e7ab3c8d568b7449083ee99636ae6db085c1c201d47e1cf8e07b09136979
-
SSDEEP
6144:jipFwArEWyXvXpqo2pZ+dqtWRmnUGj9vzAGEqN38:jKFwArEWyfUJlK6+GEW3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2860 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2800 jode.exe -
Loads dropped DLL 2 IoCs
pid Process 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D9E5F948-3C80-AD4F-E7F9-6BD2C10548CF} = "C:\\Users\\Admin\\AppData\\Roaming\\Menyf\\jode.exe" jode.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2372 set thread context of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jode.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe 2800 jode.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe Token: SeSecurityPrivilege 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe Token: SeSecurityPrivilege 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 2800 jode.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2800 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 30 PID 2372 wrote to memory of 2800 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 30 PID 2372 wrote to memory of 2800 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 30 PID 2372 wrote to memory of 2800 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 30 PID 2800 wrote to memory of 1120 2800 jode.exe 19 PID 2800 wrote to memory of 1120 2800 jode.exe 19 PID 2800 wrote to memory of 1120 2800 jode.exe 19 PID 2800 wrote to memory of 1120 2800 jode.exe 19 PID 2800 wrote to memory of 1120 2800 jode.exe 19 PID 2800 wrote to memory of 1180 2800 jode.exe 20 PID 2800 wrote to memory of 1180 2800 jode.exe 20 PID 2800 wrote to memory of 1180 2800 jode.exe 20 PID 2800 wrote to memory of 1180 2800 jode.exe 20 PID 2800 wrote to memory of 1180 2800 jode.exe 20 PID 2800 wrote to memory of 1236 2800 jode.exe 21 PID 2800 wrote to memory of 1236 2800 jode.exe 21 PID 2800 wrote to memory of 1236 2800 jode.exe 21 PID 2800 wrote to memory of 1236 2800 jode.exe 21 PID 2800 wrote to memory of 1236 2800 jode.exe 21 PID 2800 wrote to memory of 1132 2800 jode.exe 23 PID 2800 wrote to memory of 1132 2800 jode.exe 23 PID 2800 wrote to memory of 1132 2800 jode.exe 23 PID 2800 wrote to memory of 1132 2800 jode.exe 23 PID 2800 wrote to memory of 1132 2800 jode.exe 23 PID 2800 wrote to memory of 2372 2800 jode.exe 29 PID 2800 wrote to memory of 2372 2800 jode.exe 29 PID 2800 wrote to memory of 2372 2800 jode.exe 29 PID 2800 wrote to memory of 2372 2800 jode.exe 29 PID 2800 wrote to memory of 2372 2800 jode.exe 29 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2860 2372 f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4e0dd059622255ab0d1cb050c562b6e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\Menyf\jode.exe"C:\Users\Admin\AppData\Roaming\Menyf\jode.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2800
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4735a443.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD54b4381dd4cffbfdc07db9a7da61c9312
SHA176428b898dea65d22ee11af4132f53a19a9791d7
SHA2560d5ae253f8795792b895134d75d1ab303a2a54788bd26a84dd972205cca216e7
SHA512cb9c7f344c9538a270d5b085fd78a4cbadba399eba75eada2cd81bb764f35992a7efa8bd945d6a1d511d8b4a916617cea6719ca11cb81cec7ab43d42010d5819
-
Filesize
380B
MD5113338fc3b327fac05884c7f959d40da
SHA1710eb88649408816349e8efd7f7dae20bb27061f
SHA25610fc7b186d779419f27910cb0b60bbf5a8117f7b77d87308c02285f6a3609beb
SHA512fb4d094b24849691a7698050e86f98a9a52bcb6e947b91b0c421c02129fbd870b248926a0b10464709cb472147909d366e0c5de45b9dbf8220c4a36c249009c0
-
Filesize
267KB
MD50814ea16171951e0e00922c1524ab594
SHA100a78a970e6667c95e13f4378c03b890648210a1
SHA256eed7dfbdc49b287207d5fe8157267f45f4577190e95bd857710b37b0cbfbb504
SHA512cf6db6db012aac8a2f903f6da725ebdcde8572983c84b8d18e1c4ebabaa0abda268b36a67314cf8a508a415db5f66e60f383330ff0a9f7d50ceba20a81fa0dbe