Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 11:35
Behavioral task
behavioral1
Sample
fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe
-
Size
11KB
-
MD5
fa54d61d86d1576306972ecf9c73e2d4
-
SHA1
27c9f6fe4148bac5354a0b14d58721ed271f960a
-
SHA256
7e0c4e1becffeee7b958ffb26291fb78f51df7d14f0127502154beb134af9307
-
SHA512
8b8b252cd2ef21b4b4f98522343ce9aab4c03f7d46f94c35b8cb97f6bb1e6ec4a2930cdf8c9bf7e29d630fb450d50915bd822a742ac8276999ddfd004f33d1e6
-
SSDEEP
192:XE4JgPu/PlfaC8NahI7yFJQT0V6RfCyG/B9ShZVuIaMAUaIGo7/r1Bclg:XE4WPOfarNa3JK0V5whGIahUaIGof8g
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 2916 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1432 aotopptk.exe -
Loads dropped DLL 2 IoCs
pid Process 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\aotopptk.exe fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aotopptk.exe fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe File created C:\Windows\SysWOW64\aotoppt.dll fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x0008000000016c58-3.dat upx behavioral1/memory/2156-11-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1432-14-0x0000000000400000-0x000000000040E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1432 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 30 PID 2156 wrote to memory of 1432 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 30 PID 2156 wrote to memory of 1432 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 30 PID 2156 wrote to memory of 1432 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 30 PID 2156 wrote to memory of 2916 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 32 PID 2156 wrote to memory of 2916 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 32 PID 2156 wrote to memory of 2916 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 32 PID 2156 wrote to memory of 2916 2156 fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\aotopptk.exeC:\Windows\system32\aotopptk.exe ˜‰2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\fa54d61d86d1576306972ecf9c73e2d4_JaffaCakes118.exe.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5772189663e5ba4de67fee7db053275f6
SHA17cd756cd4dfafdf7b10910f3293277a1d08269a1
SHA25654725756b260bc20d9b8f94c1601e68e22a8ba403af0ca8cad8f019d5659e78d
SHA512dd3c1a485652372d171531e68156dff00b9caba32e9b87ab33b2f9109bee73ae7bc4e9dd7ae0f09a6bd683627cec0627d97be38d8f0a171e75d7ae50db16a323
-
Filesize
11KB
MD5fa54d61d86d1576306972ecf9c73e2d4
SHA127c9f6fe4148bac5354a0b14d58721ed271f960a
SHA2567e0c4e1becffeee7b958ffb26291fb78f51df7d14f0127502154beb134af9307
SHA5128b8b252cd2ef21b4b4f98522343ce9aab4c03f7d46f94c35b8cb97f6bb1e6ec4a2930cdf8c9bf7e29d630fb450d50915bd822a742ac8276999ddfd004f33d1e6