Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 02:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe
-
Size
312KB
-
MD5
0d77d23ca333f19b0cd24ec3aa3afea6
-
SHA1
35068091bad939b3681159b4a2dc85a4fbd00bea
-
SHA256
f17f4d15a3d8b2e0e61521d5f3624a71c535a5b8d9f8cbcdc697411204f845ee
-
SHA512
6c021bdb3f6174c57782b66d29c8ba2d4a8d04d93e4606515b7634e74a447b0ea8f84571c10f89c02867c8a3d645384a36f54f1abff7bfcd137f1721acb247e2
-
SSDEEP
6144:0FJnc/H9RBIThO9LvweYVWsrtQVVGMucT/9vW9LTUM3goMn5902:0FtcPpINO9U90aQ/GlTTngY
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2288 mMkPkGmPgLp01804.exe -
Executes dropped EXE 1 IoCs
pid Process 2288 mMkPkGmPgLp01804.exe -
Loads dropped DLL 2 IoCs
pid Process 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mMkPkGmPgLp01804 = "C:\\ProgramData\\mMkPkGmPgLp01804\\mMkPkGmPgLp01804.exe" mMkPkGmPgLp01804.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: mMkPkGmPgLp01804.exe File opened (read-only) \??\R: mMkPkGmPgLp01804.exe File opened (read-only) \??\X: mMkPkGmPgLp01804.exe File opened (read-only) \??\Y: mMkPkGmPgLp01804.exe File opened (read-only) \??\W: mMkPkGmPgLp01804.exe File opened (read-only) \??\J: mMkPkGmPgLp01804.exe File opened (read-only) \??\K: mMkPkGmPgLp01804.exe File opened (read-only) \??\L: mMkPkGmPgLp01804.exe File opened (read-only) \??\M: mMkPkGmPgLp01804.exe File opened (read-only) \??\N: mMkPkGmPgLp01804.exe File opened (read-only) \??\Q: mMkPkGmPgLp01804.exe File opened (read-only) \??\S: mMkPkGmPgLp01804.exe File opened (read-only) \??\U: mMkPkGmPgLp01804.exe File opened (read-only) \??\Z: mMkPkGmPgLp01804.exe File opened (read-only) \??\V: mMkPkGmPgLp01804.exe File opened (read-only) \??\G: mMkPkGmPgLp01804.exe File opened (read-only) \??\H: mMkPkGmPgLp01804.exe File opened (read-only) \??\I: mMkPkGmPgLp01804.exe File opened (read-only) \??\O: mMkPkGmPgLp01804.exe File opened (read-only) \??\P: mMkPkGmPgLp01804.exe File opened (read-only) \??\T: mMkPkGmPgLp01804.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mMkPkGmPgLp01804.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main mMkPkGmPgLp01804.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 2288 mMkPkGmPgLp01804.exe 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe Token: SeDebugPrivilege 2288 mMkPkGmPgLp01804.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2288 mMkPkGmPgLp01804.exe 2288 mMkPkGmPgLp01804.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2288 mMkPkGmPgLp01804.exe 2288 mMkPkGmPgLp01804.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2288 mMkPkGmPgLp01804.exe 2288 mMkPkGmPgLp01804.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2288 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 31 PID 1984 wrote to memory of 2288 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 31 PID 1984 wrote to memory of 2288 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 31 PID 1984 wrote to memory of 2288 1984 0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\ProgramData\mMkPkGmPgLp01804\mMkPkGmPgLp01804.exe"C:\ProgramData\mMkPkGmPgLp01804\mMkPkGmPgLp01804.exe" "C:\Users\Admin\AppData\Local\Temp\0d77d23ca333f19b0cd24ec3aa3afea6_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5edeee24929dea05307780976ddcba2e4
SHA1ea009947b74ab1b6e462f3eab6f00c957909e730
SHA256723e4d16f928f4e8bf6339fc7680440ddc7a9a22641d9f8c4e1233c5340212b2
SHA512d5b271784fc8962f2c19fb7592e3e56e1cc3e2c011bf7d1a0adfc3f3f54e52918f2ccbd8184870f3dcf3370c77e651be7de89fdbac4882b4e056deb17308a72a