Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 04:27

General

  • Target

    fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe

  • Size

    148KB

  • MD5

    fff6b172d80154c93ecb61a00f17c26b

  • SHA1

    37cbaf9dfb6b5e1da9aa86f7687b3c51d31f2442

  • SHA256

    cdcb4acee9f2fdc2468c56f7786bfa642a3fe122ba0ce812d94a7defa353bf1d

  • SHA512

    97d97c8d4be103c74bd5837cd7e6cd130ee1d1af0ae2d31f51b95c4a8200cecc328e1c2335e750db516b11af9f425e00f356cef767eef92ee7283716c114a4b0

  • SSDEEP

    3072:SLjeGZhA5qdE3rVtbYDA4R5M1EX/+MSkBXKl6IF8rIEtrwMMKj+ktcepV1J:S/FZhZE3rTM0qGMpwl6x1j+ktcE

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\compdown64.dll",CreateProcessNotify
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259528317.bat" "C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe""
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259528317.bat

    Filesize

    75B

    MD5

    2dc0ba3b57119b61ae5ae9ef561a1a4a

    SHA1

    6f562ff5d7733f43cbd6b87c5d8a9216d459a41c

    SHA256

    abf6a7c72d2f0ea2fc4707ecc7dae8a2948768a0f38c75963ce8b41efe9a68b1

    SHA512

    0e1faa441d31201a761482d0c84322bb49b2018960f35dd9684daebe594baeae7fc53afad9220676d1cfdad5341ddef4bd32712a83455bc1c66b3ed9bfe8e0da

  • \Windows\SysWOW64\compdown.dll

    Filesize

    43KB

    MD5

    ffccde52bfbad88e43c56e425a913996

    SHA1

    9dade48adf8ea9cc6e13d8bdc473f131ae0e7ec1

    SHA256

    48026197f45c2ee8abd943a6bff799087536c983a9b5afb561461ab2889ff8d4

    SHA512

    5da81bd9f4a1bcb213cc452aece9f98736ab034095aa715d664a58404503136a6f5bacf819c824a4e6bdc3dbb6f7d43f998e43f3ad1f9adc67e3fcc3ebfb3f97

  • \Windows\System32\compdown64.dll

    Filesize

    51KB

    MD5

    7f52a76d671b0557f5b03117457d9c9d

    SHA1

    d9eaacf86d66e5955b8368f800dc7e1b3e9a50f6

    SHA256

    5b2b6ed2988538d3372697164455f6275bed1e8e04ba2da2d91fabf255d869e1

    SHA512

    8229211e8d96107feef91f23a98f0e365da1ce73eb7e6afa876ec958eaf786beb1a8f386720e23407cd7b29d956e9cf48fa232dc08652be1b5b4b35377207f20

  • memory/1212-24-0x00000000024C0000-0x00000000024C1000-memory.dmp

    Filesize

    4KB

  • memory/1212-25-0x00000000024C0000-0x00000000024C1000-memory.dmp

    Filesize

    4KB

  • memory/1212-39-0x0000000180000000-0x0000000180012000-memory.dmp

    Filesize

    72KB

  • memory/2108-42-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2300-22-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

  • memory/2300-23-0x0000000180000000-0x0000000180012000-memory.dmp

    Filesize

    72KB

  • memory/2548-6-0x0000000001000000-0x0000000001027000-memory.dmp

    Filesize

    156KB

  • memory/2548-33-0x0000000001000000-0x0000000001027000-memory.dmp

    Filesize

    156KB

  • memory/2548-34-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2548-0-0x00000000004B0000-0x00000000004B1000-memory.dmp

    Filesize

    4KB

  • memory/2548-1-0x0000000001000000-0x0000000001027000-memory.dmp

    Filesize

    156KB

  • memory/2548-7-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

  • memory/2548-8-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2776-41-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB