Analysis
-
max time kernel
141s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
-
Size
174KB
-
MD5
fad9a80024332efb7f5609b61c00ff56
-
SHA1
31e2caada015dcbb888dd351f06474d7177437a1
-
SHA256
e746832c45b60f90fefd8738d0d9540df167674fbf101dd9b974b966cde62457
-
SHA512
80599d1cebe327d7cb6bab1ce88dec2b0a35310b48e1d2784cb1685eec2456602fd7a965b5194e5499345a63d237dc252013bf3b877e5079860e6874b7fb8acb
-
SSDEEP
3072:2a6pmM3xy6bpgy4Zyv7q6RYZZeyqfEkQGUSQyYLWwA5pyAQ/NxgSiD9s8FlI6:wy62y4ZI7qoYXizQGUhfK5pVQ/M52
Malware Config
Signatures
-
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 2840 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1252 Explorer.EXE -
Loads dropped DLL 7 IoCs
pid Process 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 2744 rundll32.exe 2744 rundll32.exe 2744 rundll32.exe 2744 rundll32.exe 2840 cmd.exe 3052 attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cttuonce.dll fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe File opened for modification C:\Windows\system32\cttuonce64.dll fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2744 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2840 2716 fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe 30 PID 2744 wrote to memory of 1252 2744 rundll32.exe 20 PID 2744 wrote to memory of 1252 2744 rundll32.exe 20 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 PID 2840 wrote to memory of 3052 2840 cmd.exe 32 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3052 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\cttuonce64.dll",CreateProcessNotify3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259526695.bat" "C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe""3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD57fe7140fdebda9e6fddeed64ea419888
SHA177604b230dbd120acd2454711b1c05bf561ba974
SHA256a9348f9fe990cfd8f3a9c695729e38659ad8bb559341d8085f1d0e750eb00862
SHA512e772a3b924689ec0ccbeac91992c01d45d6da35c07530d8be58f6f4aed5db759e2a00e405f9dce3006e6f289c7063adb3a5a6dd6d4c2edc60190656c00a61501
-
Filesize
62KB
MD5d99463764fb1cb6608f2e2fea36bb016
SHA187a5518f3ef2db86930ed355d5b4f81362bd6418
SHA2568557f233873fd2aa7bb675e48ac58d7d5fd60470033ad26660352bdbbacae65f
SHA512268f9869d6fdc5673bc6fd6ef80e7b697bf172913b249b8b8626738eda387097ea00f6f5af7af56a60c8409f3bcc634502fa22599081c998874b9d5fa9a44938
-
Filesize
54KB
MD56564e07076dda55f1da5ccc8c40edeb8
SHA1ef685e0491fe98a92ee4df180869f0c9cad95f98
SHA25662d1e48d0bd38236c7f679da0f81760f91b44ae28310b4a4c53ff231238dd0d7
SHA5122a6b0d35f5de4962be5f2d5f7d8d98a41915b1f24910a256760ec9d18719945d0aa0b335549f9338e8fc477d655c92e0579ce437c5d171502fd1746866a1d326