Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
-
Size
14KB
-
MD5
0842e59497d6172c8f478909aa4c1c91
-
SHA1
947164fdeee6adfea505b512cf8bbd0626878247
-
SHA256
4166a44f3e13dd539dbbfce1dcb5af47fac705f01fa864eb7dd1016beaaf8dc7
-
SHA512
7170af338e04fa31bc506f621abef3b4dbcd05ce3c40ac724689a0fbf92b8308eeea1f5657ed3ab9b67854b1cb10b93c04ea4feaa4d59bc3f6b36e1a2a4d0b96
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmba:hDXWipuE+K3/SSHgxmWmba
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 760 DEM83C0.exe 2680 DEMD9EB.exe 2600 DEM2F4A.exe 1676 DEM8508.exe 2380 DEMDA68.exe 1628 DEM2FC7.exe -
Loads dropped DLL 6 IoCs
pid Process 2988 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 760 DEM83C0.exe 2680 DEMD9EB.exe 2600 DEM2F4A.exe 1676 DEM8508.exe 2380 DEMDA68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2F4A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8508.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDA68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM83C0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD9EB.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2988 wrote to memory of 760 2988 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 31 PID 2988 wrote to memory of 760 2988 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 31 PID 2988 wrote to memory of 760 2988 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 31 PID 2988 wrote to memory of 760 2988 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 31 PID 760 wrote to memory of 2680 760 DEM83C0.exe 33 PID 760 wrote to memory of 2680 760 DEM83C0.exe 33 PID 760 wrote to memory of 2680 760 DEM83C0.exe 33 PID 760 wrote to memory of 2680 760 DEM83C0.exe 33 PID 2680 wrote to memory of 2600 2680 DEMD9EB.exe 35 PID 2680 wrote to memory of 2600 2680 DEMD9EB.exe 35 PID 2680 wrote to memory of 2600 2680 DEMD9EB.exe 35 PID 2680 wrote to memory of 2600 2680 DEMD9EB.exe 35 PID 2600 wrote to memory of 1676 2600 DEM2F4A.exe 37 PID 2600 wrote to memory of 1676 2600 DEM2F4A.exe 37 PID 2600 wrote to memory of 1676 2600 DEM2F4A.exe 37 PID 2600 wrote to memory of 1676 2600 DEM2F4A.exe 37 PID 1676 wrote to memory of 2380 1676 DEM8508.exe 39 PID 1676 wrote to memory of 2380 1676 DEM8508.exe 39 PID 1676 wrote to memory of 2380 1676 DEM8508.exe 39 PID 1676 wrote to memory of 2380 1676 DEM8508.exe 39 PID 2380 wrote to memory of 1628 2380 DEMDA68.exe 41 PID 2380 wrote to memory of 1628 2380 DEMDA68.exe 41 PID 2380 wrote to memory of 1628 2380 DEMDA68.exe 41 PID 2380 wrote to memory of 1628 2380 DEMDA68.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\DEM83C0.exe"C:\Users\Admin\AppData\Local\Temp\DEM83C0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\DEMD9EB.exe"C:\Users\Admin\AppData\Local\Temp\DEMD9EB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\DEM2F4A.exe"C:\Users\Admin\AppData\Local\Temp\DEM2F4A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\DEM8508.exe"C:\Users\Admin\AppData\Local\Temp\DEM8508.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\DEMDA68.exe"C:\Users\Admin\AppData\Local\Temp\DEMDA68.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\DEM2FC7.exe"C:\Users\Admin\AppData\Local\Temp\DEM2FC7.exe"7⤵
- Executes dropped EXE
PID:1628
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57c98b39db9a83c3bd296a1ea30ecc83b
SHA179fb7f4456557eb13fee2b50c175083e0ee7baaf
SHA2560ac66ce532ee4134b03966d04d5010e54b86f67a6bf5db90509666bb043bd279
SHA5124e98938775e4d3e140ebc360ec16fe3bde38e333e107cf720f965f0fd333e3061739fcafa0cd3238da55fd0c0fe0de7feb3be60eb57ffccaf0b91e8d797a1c6f
-
Filesize
14KB
MD54d31ca5246aa9a29324e762470e86055
SHA11dd5c5bf7d9b26ba41a2be6ecb53ad2b18604da3
SHA256e5bf4e7603d7f9e92b142388d7436e78def7c3b4e79934e5f85ba561a76af36f
SHA512e240fa9a0bc968fc37ec123cf446d86b0b687ad30d45f450f5d056987e6e4ed0b1a8a7b71035e5d7a16af33805dc68202340fc532834bb267e76e5561fcbf1ec
-
Filesize
14KB
MD5be93bead05db49106749242ae43c030f
SHA14d4f5c984e696bc624587bca76c6f2c080f6d93a
SHA2565ed22794ac1a6c1f62aa487de73e186f8ae5bb228bd78e0fa6d4faec77d8bce3
SHA5121803f9d8f21821e1cb0102d4d0028a85abd1f2d19f9997644913a45394e56dca01b275095ebab6d3f1b4e3c2fbcf02097c3873622a97aeb5f7633b678e07170d
-
Filesize
14KB
MD5292394c31d0347f0ebf68d44f7b1640b
SHA103f7e1bb757dc2602b4029da2acb3bb6cb3ac814
SHA2561e5683304e042529de07ef0bfc9c565089f514da00adf4f57fee0fce4be137d6
SHA5122bdef9a7f906eef51e270dfb0a4e2ac624160d602f4db1200d51425d2ba0d561a92b54979229c044e5ceca79ad2cad0cc8a89502a275cec5ef541541e98df0ea
-
Filesize
14KB
MD5c2037c797ed724436109f36540e439b9
SHA1f8059878c64c32b4d1d2a04dba57522df283581b
SHA256ee2c713959e3e33503bd6e207db0d61006e754a8d4c5f2e93c46da93ad154942
SHA51223d20a521c519182e257f02c3ca5db04a5b5342c7e31f17dba165fbd8103b745a125340e17a3e11f217a6325d74f28916d8ea9be6e2a95f3b6c432df7eec5a0c
-
Filesize
14KB
MD57e9d9a38832e62c7e581ef0e6e23fc9d
SHA19bbad71abc9b8feee3b37993747d7ffea3e46cb9
SHA256e9a356cf6e2c370d25a1d7eeb333ab9aeb1a6f5f731e18ad0b368a6738095753
SHA51230b506b07ff0722baa573c07d27c50628dbf2f3f8800b5edd654f13b267ce007dc6aa4ec50d703ea50940532d99826e923513216fe8b39f29ea326285d02d697