Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 07:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe
-
Size
558KB
-
MD5
0eab7d5bd9d992dd6ac1e3cc634d2bf1
-
SHA1
b3f8e7ebf75667c46cdf1a37d8329ac0654cb81c
-
SHA256
de4f294516925fc1369aea68162e7b840fa272295b86bfa13f658d5d561f7be5
-
SHA512
21387a9aee79e96902abb7348da03f380a81cd6e60e5f5e779e1c025f832798943c8f074c514fa1df538f388daa46a1867eb4ce09f4a90164a2972e6b1b4ef7d
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmszvZJO3VRg948qxjF3k4F4T4KBYX+pd1bEz2s7ETRhE8:jaBvHO3gg7dX+pd167QhEUn7+ijXB
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2796 svchost.exe 3212 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe 708 svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2796 2464 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe 82 PID 2464 wrote to memory of 2796 2464 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe 82 PID 2464 wrote to memory of 2796 2464 0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe 82 PID 2796 wrote to memory of 3212 2796 svchost.exe 83 PID 2796 wrote to memory of 3212 2796 svchost.exe 83 PID 2796 wrote to memory of 3212 2796 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0eab7d5bd9d992dd6ac1e3cc634d2bf1_JaffaCakes118.exe"3⤵
- Executes dropped EXE
PID:3212
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD58dd7cd6b729f8c030f708c850d6e0248
SHA15a7a4ff330645e16d0ee57d6ce255b59fc1be6ef
SHA256b2a42f0a1ec5c16626c0dcc0a6670d90a225bf6cccc7c3232ca14c63f6d5a0c8
SHA512fae640f4fc088cd8553d39bc781dad408b0dc7e3e6c5f5cfe463b99f2c7a1e3492df82e54a3f49c5792ee12aa23321ac1e27583ef84289c0dd84a0d002634503
-
Filesize
35KB
MD5ff948cfa9e42bc40cd308ecef233f087
SHA1c3272caf5613c96dc56a306e84fba4062a2d928e
SHA2563638dc9b5a971f313387af6c212d07afa764dd8bdcec72e58b758e6954dc0847
SHA51212e47a2c575de7ae6b0db827944ba3bb68fcbbbe59d9bc33f13e7d84a08f18f84ac98ee50d531ef1ec82e25eeb15f55bbb941f8ce4f61f24105037319c83d4df