Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe
-
Size
38KB
-
MD5
062e2c20d39d1d5be3420046399e64ba
-
SHA1
1dfd3c1341bff634738f9240aa616d0e3630438d
-
SHA256
f41e21f084c9aa503e60656364987abe42f6617fd0a3f9d39bb614342e6c1bfb
-
SHA512
1c3adc6fe3391f56c03cd57a8cc3045985b9001483a002e5ed1f584f88ea44cfdfd22d4d766f269354339015a2034a50f1b78d7a6314b24f37e3a3d54dce1cb9
-
SSDEEP
768:WHKWvnSiXTtSfLNHmIJeOFEPZnYzDa2cwMtL3ip4V5l2GwiPW0:WHnvTtSzdmIJeVWzWwYL3W02GwiPV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1864 fxsteller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "fxsteller.exe" 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1064 set thread context of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\fxsteller.exe 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe File created C:\Windows\fxsteller.exe 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2548 1864 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxsteller.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 1064 wrote to memory of 2384 1064 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 30 PID 2384 wrote to memory of 1864 2384 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 31 PID 2384 wrote to memory of 1864 2384 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 31 PID 2384 wrote to memory of 1864 2384 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 31 PID 2384 wrote to memory of 1864 2384 062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe 31 PID 1864 wrote to memory of 2548 1864 fxsteller.exe 32 PID 1864 wrote to memory of 2548 1864 fxsteller.exe 32 PID 1864 wrote to memory of 2548 1864 fxsteller.exe 32 PID 1864 wrote to memory of 2548 1864 fxsteller.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\062e2c20d39d1d5be3420046399e64ba_JaffaCakes118.exe2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\fxsteller.exe"C:\Windows\fxsteller.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 724⤵
- Program crash
PID:2548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5062e2c20d39d1d5be3420046399e64ba
SHA11dfd3c1341bff634738f9240aa616d0e3630438d
SHA256f41e21f084c9aa503e60656364987abe42f6617fd0a3f9d39bb614342e6c1bfb
SHA5121c3adc6fe3391f56c03cd57a8cc3045985b9001483a002e5ed1f584f88ea44cfdfd22d4d766f269354339015a2034a50f1b78d7a6314b24f37e3a3d54dce1cb9