Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
0f12c3f574b77fe9ee6874150c41ec38
-
SHA1
88e9e3b2009d06284d665d2edaf21181749aaa37
-
SHA256
2b3ef0ee83fd79e2c40902d57944bf2eb5adfb8d20a9375140a2c1576ee1de55
-
SHA512
a70999d07e3fd7ea533969d283f1f911bf091bded608fdb130173dbcdad1eef19e44c1b89dab11e7ab2aa3690b01a760a6482492819125b52f50d127f6af4418
-
SSDEEP
49152:EQFRHrmQG+AQG+qQG+VQG+XJQG+jqQG+d+XJQG+0OMR:EcKNjeafTp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3924 ejc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3924 ejc.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3924 ejc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3924 ejc.exe 3924 ejc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 800 wrote to memory of 3924 800 0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe 82 PID 800 wrote to memory of 3924 800 0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe 82 PID 800 wrote to memory of 3924 800 0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\ejc.exeC:\Users\Admin\AppData\Local\Temp\ejc.exe -run C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51d00c82849722f73c870be3e2ec5f259
SHA15a34bce115c471839c1c713c0623fbb887fb41a3
SHA256b1747d6065d79e0ee6b7145739c736cacf30749e803d89df23f4297a547c07f1
SHA5125bcd25f50bb9fb97f0d289f688ee8a14f6e2d194cc495759e51f193d7a65b86b1daaed9bca3a82f81ef456518eb29317cbe5214414fb9aae5a30eb181f5ddeec