Analysis

  • max time kernel
    141s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 20:21

General

  • Target

    fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe

  • Size

    174KB

  • MD5

    fad9a80024332efb7f5609b61c00ff56

  • SHA1

    31e2caada015dcbb888dd351f06474d7177437a1

  • SHA256

    e746832c45b60f90fefd8738d0d9540df167674fbf101dd9b974b966cde62457

  • SHA512

    80599d1cebe327d7cb6bab1ce88dec2b0a35310b48e1d2784cb1685eec2456602fd7a965b5194e5499345a63d237dc252013bf3b877e5079860e6874b7fb8acb

  • SSDEEP

    3072:2a6pmM3xy6bpgy4Zyv7q6RYZZeyqfEkQGUSQyYLWwA5pyAQ/NxgSiD9s8FlI6:wy62y4ZI7qoYXizQGUhfK5pVQ/M52

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\cttuonce64.dll",CreateProcessNotify
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259526695.bat" "C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe""
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259526695.bat

    Filesize

    75B

    MD5

    7fe7140fdebda9e6fddeed64ea419888

    SHA1

    77604b230dbd120acd2454711b1c05bf561ba974

    SHA256

    a9348f9fe990cfd8f3a9c695729e38659ad8bb559341d8085f1d0e750eb00862

    SHA512

    e772a3b924689ec0ccbeac91992c01d45d6da35c07530d8be58f6f4aed5db759e2a00e405f9dce3006e6f289c7063adb3a5a6dd6d4c2edc60190656c00a61501

  • C:\Windows\system32\cttuonce64.dll

    Filesize

    62KB

    MD5

    d99463764fb1cb6608f2e2fea36bb016

    SHA1

    87a5518f3ef2db86930ed355d5b4f81362bd6418

    SHA256

    8557f233873fd2aa7bb675e48ac58d7d5fd60470033ad26660352bdbbacae65f

    SHA512

    268f9869d6fdc5673bc6fd6ef80e7b697bf172913b249b8b8626738eda387097ea00f6f5af7af56a60c8409f3bcc634502fa22599081c998874b9d5fa9a44938

  • \Windows\SysWOW64\cttuonce.dll

    Filesize

    54KB

    MD5

    6564e07076dda55f1da5ccc8c40edeb8

    SHA1

    ef685e0491fe98a92ee4df180869f0c9cad95f98

    SHA256

    62d1e48d0bd38236c7f679da0f81760f91b44ae28310b4a4c53ff231238dd0d7

    SHA512

    2a6b0d35f5de4962be5f2d5f7d8d98a41915b1f24910a256760ec9d18719945d0aa0b335549f9338e8fc477d655c92e0579ce437c5d171502fd1746866a1d326

  • memory/1252-42-0x0000000180000000-0x0000000180016000-memory.dmp

    Filesize

    88KB

  • memory/1252-28-0x0000000000400000-0x0000000000401000-memory.dmp

    Filesize

    4KB

  • memory/2716-40-0x0000000001000000-0x000000000102E000-memory.dmp

    Filesize

    184KB

  • memory/2716-7-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

  • memory/2716-6-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

    Filesize

    4KB

  • memory/2716-41-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

  • memory/2716-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2716-1-0x0000000001000000-0x000000000102E000-memory.dmp

    Filesize

    184KB

  • memory/2744-14-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

  • memory/2744-25-0x0000000180000000-0x0000000180016000-memory.dmp

    Filesize

    88KB

  • memory/2840-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

  • memory/2840-49-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

  • memory/3052-48-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB