Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 11:15
Static task
static1
Behavioral task
behavioral1
Sample
f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe
-
Size
996KB
-
MD5
f5e2adb6d79eb7bb634f9eed33ff754c
-
SHA1
ae8761b0c155588eca69d58def8e46d2a1060f91
-
SHA256
1e2623c17e4955fae07c6763e1b23f3b1d01a4aaac06d307042f29be8ec5cecc
-
SHA512
e58c7daca2133292f5b6b672630c3a6fdf1ea7a5dfaee3fe71736e94cd14edb1408970ad700ee6a9b04494be659230a48abda9a0c9671440eb60389ed7287506
-
SSDEEP
12288:G+ThrE567NIZN5BUIrzJY6Et+3kI7dC3X64P7r9r/+pppppppppppppppppppppt:G4JccI5BUcfEY7hO1qd0B3n1TSZrnBX
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1636 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2652 egis.exe 2592 egis.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pyafudqaty = "C:\\Users\\Admin\\AppData\\Roaming\\Bynuo\\egis.exe" egis.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1712 set thread context of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 2652 set thread context of 2592 2652 egis.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe 2592 egis.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe Token: SeSecurityPrivilege 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2108 1712 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2652 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2652 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2652 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2652 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2652 wrote to memory of 2592 2652 egis.exe 32 PID 2592 wrote to memory of 1100 2592 egis.exe 19 PID 2592 wrote to memory of 1100 2592 egis.exe 19 PID 2592 wrote to memory of 1100 2592 egis.exe 19 PID 2592 wrote to memory of 1100 2592 egis.exe 19 PID 2592 wrote to memory of 1100 2592 egis.exe 19 PID 2592 wrote to memory of 1140 2592 egis.exe 20 PID 2592 wrote to memory of 1140 2592 egis.exe 20 PID 2592 wrote to memory of 1140 2592 egis.exe 20 PID 2592 wrote to memory of 1140 2592 egis.exe 20 PID 2592 wrote to memory of 1140 2592 egis.exe 20 PID 2592 wrote to memory of 1204 2592 egis.exe 21 PID 2592 wrote to memory of 1204 2592 egis.exe 21 PID 2592 wrote to memory of 1204 2592 egis.exe 21 PID 2592 wrote to memory of 1204 2592 egis.exe 21 PID 2592 wrote to memory of 1204 2592 egis.exe 21 PID 2592 wrote to memory of 1212 2592 egis.exe 23 PID 2592 wrote to memory of 1212 2592 egis.exe 23 PID 2592 wrote to memory of 1212 2592 egis.exe 23 PID 2592 wrote to memory of 1212 2592 egis.exe 23 PID 2592 wrote to memory of 1212 2592 egis.exe 23 PID 2592 wrote to memory of 2108 2592 egis.exe 30 PID 2592 wrote to memory of 2108 2592 egis.exe 30 PID 2592 wrote to memory of 2108 2592 egis.exe 30 PID 2592 wrote to memory of 2108 2592 egis.exe 30 PID 2592 wrote to memory of 2108 2592 egis.exe 30 PID 2108 wrote to memory of 1636 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 33 PID 2108 wrote to memory of 1636 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 33 PID 2108 wrote to memory of 1636 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 33 PID 2108 wrote to memory of 1636 2108 f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe 33 PID 2592 wrote to memory of 1636 2592 egis.exe 33 PID 2592 wrote to memory of 1636 2592 egis.exe 33 PID 2592 wrote to memory of 1636 2592 egis.exe 33 PID 2592 wrote to memory of 1636 2592 egis.exe 33 PID 2592 wrote to memory of 1636 2592 egis.exe 33 PID 2592 wrote to memory of 2024 2592 egis.exe 34 PID 2592 wrote to memory of 2024 2592 egis.exe 34 PID 2592 wrote to memory of 2868 2592 egis.exe 35 PID 2592 wrote to memory of 2868 2592 egis.exe 35 PID 2592 wrote to memory of 2868 2592 egis.exe 35 PID 2592 wrote to memory of 2868 2592 egis.exe 35 PID 2592 wrote to memory of 2868 2592 egis.exe 35
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5e2adb6d79eb7bb634f9eed33ff754c_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\Bynuo\egis.exe"C:\Users\Admin\AppData\Roaming\Bynuo\egis.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Roaming\Bynuo\egis.exe"C:\Users\Admin\AppData\Roaming\Bynuo\egis.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5c9ff13b.bat"4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12024616061246693321-20530958858222067663738208202866893119294915491265594648"1⤵PID:2024
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD55c827f7afe652ff81043c3422cc3396c
SHA136463e3e79fc9db46399cd1f4c329bf64a2e75c6
SHA256dccf8f952ee00d411bad1a52f1731ae0dbb0671ef9a0ac3493213f415aaab1ae
SHA512bfa5675774db594a30a172dbf88e8c1c5b4061274d07dc7ffe5a514e864aa1007459306768ed6a421b12afcfd1e3d7aaeb71098725ba301db7c17474daf3d345
-
Filesize
996KB
MD5ec2af1b10ffe03990261316f5565d7c3
SHA180ea4d6b222a7b0c30d2cb2c81ecc46faae4bd1d
SHA2567afd4a48951b3ce8729bb52517e01e05ea29567d651fb947f8bf64ce269746c3
SHA5124ae4e52f4327324db329a86a3fdbc61d5c4cbe29b566ad45c1ae5b57b3a2f716361307c06e9540f81278ac760b375a5fd587971863291cc53541f4796d54b04d