Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 11:35

General

  • Target

    fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe

  • Size

    11KB

  • MD5

    fa54d61d86d1576306972ecf9c73e2d4

  • SHA1

    27c9f6fe4148bac5354a0b14d58721ed271f960a

  • SHA256

    7e0c4e1becffeee7b958ffb26291fb78f51df7d14f0127502154beb134af9307

  • SHA512

    8b8b252cd2ef21b4b4f98522343ce9aab4c03f7d46f94c35b8cb97f6bb1e6ec4a2930cdf8c9bf7e29d630fb450d50915bd822a742ac8276999ddfd004f33d1e6

  • SSDEEP

    192:XE4JgPu/PlfaC8NahI7yFJQT0V6RfCyG/B9ShZVuIaMAUaIGo7/r1Bclg:XE4WPOfarNa3JK0V5whGIahUaIGof8g

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\aotopptk.exe
      C:\Windows\system32\aotopptk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe.bat

    Filesize

    210B

    MD5

    772189663e5ba4de67fee7db053275f6

    SHA1

    7cd756cd4dfafdf7b10910f3293277a1d08269a1

    SHA256

    54725756b260bc20d9b8f94c1601e68e22a8ba403af0ca8cad8f019d5659e78d

    SHA512

    dd3c1a485652372d171531e68156dff00b9caba32e9b87ab33b2f9109bee73ae7bc4e9dd7ae0f09a6bd683627cec0627d97be38d8f0a171e75d7ae50db16a323

  • \Windows\SysWOW64\aotopptk.exe

    Filesize

    11KB

    MD5

    fa54d61d86d1576306972ecf9c73e2d4

    SHA1

    27c9f6fe4148bac5354a0b14d58721ed271f960a

    SHA256

    7e0c4e1becffeee7b958ffb26291fb78f51df7d14f0127502154beb134af9307

    SHA512

    8b8b252cd2ef21b4b4f98522343ce9aab4c03f7d46f94c35b8cb97f6bb1e6ec4a2930cdf8c9bf7e29d630fb450d50915bd822a742ac8276999ddfd004f33d1e6

  • memory/1432-14-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2156-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2156-9-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB

  • memory/2156-11-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2156-12-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB