Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 21:34
Static task
static1
Behavioral task
behavioral1
Sample
0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe
-
Size
12KB
-
MD5
0c8a4921849df0046bea3b9dbefd80f9
-
SHA1
8a618e17320d10f486861babb4feaede3898f2c2
-
SHA256
633e54c489c854ad722253551e490e4435e3d9c9e002da12bbcc0de1509c540e
-
SHA512
e3793852c094d5c81684af548388bccd199c5dcbc05bba9b63123a0a92cfbb85ec1208e26a175965f51ca1fa6d36c152ab5af279d621909cf03de65b17e7633e
-
SSDEEP
192:en31R5Fhp8cdwpHR3AkPLiM79mLU2PcSe8hcqm:oj5FZdgAkTiM79mgLSeScqm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3068 b2e.exe -
Loads dropped DLL 2 IoCs
pid Process 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1932 wrote to memory of 3068 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe 30 PID 1932 wrote to memory of 3068 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe 30 PID 1932 wrote to memory of 3068 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe 30 PID 1932 wrote to memory of 3068 1932 0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe 30 PID 3068 wrote to memory of 2040 3068 b2e.exe 31 PID 3068 wrote to memory of 2040 3068 b2e.exe 31 PID 3068 wrote to memory of 2040 3068 b2e.exe 31 PID 3068 wrote to memory of 2040 3068 b2e.exe 31 PID 3068 wrote to memory of 2760 3068 b2e.exe 33 PID 3068 wrote to memory of 2760 3068 b2e.exe 33 PID 3068 wrote to memory of 2760 3068 b2e.exe 33 PID 3068 wrote to memory of 2760 3068 b2e.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B8F3.tmp\batchfile.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD567a3e740cb73c0dcd5c4224151710cbd
SHA17b6a87ab57da93831b193761259389827fa2efa8
SHA2561667cb62909b1de21dc1345a9c16c520866d77d6c0b6759c51fd4fc725bdbe28
SHA51270ec8f783caaf017b2dd4f8a89a1d330c6369ba5d7fd6b1bbdb0193e59e72974bcd2a6fb22c812ddf0ac4f9064e9d879456eb8c70fb874285ba7685cc0fad1e8
-
Filesize
23B
MD55daa75bbb8b5c960fe4a28884fad5910
SHA114c1b355026ea8e7b8832de5da56fdc650219971
SHA25696a334105f778dd15e94f8b4db6ba28222d466e9d4b26321dabff8d64d3fe9d0
SHA512e768c1edda162e1ce894934ac5649b04bc4bcb331aef3c7ee93cb3e50db3df2f3439a2de757dde4c41f1127619a4ded7c790ba3d36a0df5475f79a78ea59f16b
-
Filesize
158B
MD59c1fc7f81e97690e0be85fc0462623f5
SHA10a9fc59bd80e4cecc69cded465ee10af334605f5
SHA256380db357eb459ecef1f80b435520ba488c084c07ae2335899cb8590ff51d4319
SHA5120181f2b0f125d9bc2cce3b7f51314213ee66328bd4352e31f9f0f6dcbc7a08984c97cb06e6cda7814a78d278f1b7493c1283c767e0d526a421cb2848879501a6