Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
-
Size
148KB
-
MD5
fff6b172d80154c93ecb61a00f17c26b
-
SHA1
37cbaf9dfb6b5e1da9aa86f7687b3c51d31f2442
-
SHA256
cdcb4acee9f2fdc2468c56f7786bfa642a3fe122ba0ce812d94a7defa353bf1d
-
SHA512
97d97c8d4be103c74bd5837cd7e6cd130ee1d1af0ae2d31f51b95c4a8200cecc328e1c2335e750db516b11af9f425e00f356cef767eef92ee7283716c114a4b0
-
SSDEEP
3072:SLjeGZhA5qdE3rVtbYDA4R5M1EX/+MSkBXKl6IF8rIEtrwMMKj+ktcepV1J:S/FZhZE3rTM0qGMpwl6x1j+ktcE
Malware Config
Signatures
-
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 2108 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1212 Explorer.EXE -
Loads dropped DLL 7 IoCs
pid Process 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 2300 rundll32.exe 2300 rundll32.exe 2300 rundll32.exe 2300 rundll32.exe 2108 cmd.exe 2776 attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\compdown.dll fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe File opened for modification C:\Windows\system32\compdown64.dll fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2300 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2300 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2300 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2300 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2300 wrote to memory of 1212 2300 rundll32.exe 20 PID 2300 wrote to memory of 1212 2300 rundll32.exe 20 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2108 2548 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 PID 2108 wrote to memory of 2776 2108 cmd.exe 32 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2776 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\compdown64.dll",CreateProcessNotify3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259528317.bat" "C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe""3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD52dc0ba3b57119b61ae5ae9ef561a1a4a
SHA16f562ff5d7733f43cbd6b87c5d8a9216d459a41c
SHA256abf6a7c72d2f0ea2fc4707ecc7dae8a2948768a0f38c75963ce8b41efe9a68b1
SHA5120e1faa441d31201a761482d0c84322bb49b2018960f35dd9684daebe594baeae7fc53afad9220676d1cfdad5341ddef4bd32712a83455bc1c66b3ed9bfe8e0da
-
Filesize
43KB
MD5ffccde52bfbad88e43c56e425a913996
SHA19dade48adf8ea9cc6e13d8bdc473f131ae0e7ec1
SHA25648026197f45c2ee8abd943a6bff799087536c983a9b5afb561461ab2889ff8d4
SHA5125da81bd9f4a1bcb213cc452aece9f98736ab034095aa715d664a58404503136a6f5bacf819c824a4e6bdc3dbb6f7d43f998e43f3ad1f9adc67e3fcc3ebfb3f97
-
Filesize
51KB
MD57f52a76d671b0557f5b03117457d9c9d
SHA1d9eaacf86d66e5955b8368f800dc7e1b3e9a50f6
SHA2565b2b6ed2988538d3372697164455f6275bed1e8e04ba2da2d91fabf255d869e1
SHA5128229211e8d96107feef91f23a98f0e365da1ce73eb7e6afa876ec958eaf786beb1a8f386720e23407cd7b29d956e9cf48fa232dc08652be1b5b4b35377207f20