Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:30
Static task
static1
Behavioral task
behavioral1
Sample
0842d0e432180b0780236096c2189761_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0842d0e432180b0780236096c2189761_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0842d0e432180b0780236096c2189761_JaffaCakes118.exe
-
Size
98KB
-
MD5
0842d0e432180b0780236096c2189761
-
SHA1
5ef71995386f2cb5a1f38667ec1422c4a9ee05d8
-
SHA256
e848da375e3761f95d614daa86de4ffb531246915364a6b1f1e52514ee0a60e3
-
SHA512
a031eb7f5fb3bebb66d5cbd561d3bec3e9798cc15eeaedfc259705483300416363d1e5355dea98742156adc768dd570d52d84702c8b78c643b8f2b2a7fcf30a6
-
SSDEEP
1536:8klgA+WDngGwcljJPeKhhJUdnpcGUwkH0CJeUjrtWHLEg0KfVIuk:ZlT+W73fpJPeEhOpctwgjrtWHLrVVk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2384 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842d0e432180b0780236096c2189761_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2384 1644 0842d0e432180b0780236096c2189761_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2384 1644 0842d0e432180b0780236096c2189761_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2384 1644 0842d0e432180b0780236096c2189761_JaffaCakes118.exe 31 PID 1644 wrote to memory of 2384 1644 0842d0e432180b0780236096c2189761_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0842d0e432180b0780236096c2189761_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0842d0e432180b0780236096c2189761_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wrf..bat" > nul 2> nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD5ed961bc3e75b797a791ac2b0664aba08
SHA18866fc81db6d984f1f1c4cedfe4daa68071b88c7
SHA256c0190bcaadf1c510ed0a38dac501d70b4a71dd9be17b547bb267272eb200860c
SHA5125261928d8dd4904b0ecceb313befe517726cd17e6a4d25445c1840e2fab50e6277e5025ef72f5c58d3445155cd53974065e3f78c4f03ffce823aab8480f133aa