Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 16:22
Static task
static1
Behavioral task
behavioral1
Sample
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
-
Size
373KB
-
MD5
141548dd830ee087060c586286ee5978
-
SHA1
9dc1fef5803f3e68e5508a05c4c6340a6741702c
-
SHA256
09ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60
-
SHA512
eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519
-
SSDEEP
6144:BvZQCqWExFjMQ0YM3i9rSeX/OHWbboa4FU3yZglJgr/VprMfY+u7UBWQM49mS8tc:5fqhxFjr0YeiJNXGUyClar/YuYB/M49d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2520 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\"" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\"" regedit.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 141548dd830ee087060c586286ee5978_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs regedit.exe 2 IoCs
pid Process 1020 regedit.exe 2988 regedit.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2520 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2520 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2520 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2520 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 28 PID 2520 wrote to memory of 2524 2520 services.exe 29 PID 2520 wrote to memory of 2524 2520 services.exe 29 PID 2520 wrote to memory of 2524 2520 services.exe 29 PID 2520 wrote to memory of 2524 2520 services.exe 29 PID 2524 wrote to memory of 1020 2524 CMD.EXE 31 PID 2524 wrote to memory of 1020 2524 CMD.EXE 31 PID 2524 wrote to memory of 1020 2524 CMD.EXE 31 PID 2524 wrote to memory of 1020 2524 CMD.EXE 31 PID 2240 wrote to memory of 3040 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 32 PID 2240 wrote to memory of 3040 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 32 PID 2240 wrote to memory of 3040 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 32 PID 2240 wrote to memory of 3040 2240 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2988 3040 CMD.EXE 34 PID 3040 wrote to memory of 2988 3040 CMD.EXE 34 PID 3040 wrote to memory of 2988 3040 CMD.EXE 34 PID 3040 wrote to memory of 2988 3040 CMD.EXE 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\services.exeC:\Users\Admin\AppData\Local\Temp\services.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\CMD.EXECMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:1020
-
-
-
-
C:\Windows\SysWOW64\CMD.EXECMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:2988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD5ddd2a5b59b0507f1b38d4b70c5493cd5
SHA16b958ea3468bf7fc085e9a9147e89a0299106974
SHA2564c84d8cda07990c1f9ea4e4bc6221f8b3241842fa33f2106d98734ac2ffb4227
SHA51258a285e36a20a0165b7904c6bc8c43402ad69b92d49bb5d51205adcb83205c746ce0ccbe607116f509eb78f6360def074a0fb41c7ac7c96e3eee44dfef365e68
-
Filesize
146B
MD5d38d353dcb8f69412efd564fbc97ec27
SHA144db24099c9d7f374cc9409b87aaa33c0e44b2a9
SHA256c13fc26863183a3cbcdf174ac2987942fc7c9294d6ab847dfebdd4f87e53cc15
SHA512fc4afc5ca760f283d3e2b3f46b16d875342266bcb8426b60af4c80c03d0fb4beeb0e58a42da7db64e85597aa3d3e7a05cae5cae0d51db7f5d9744e537d5a5338
-
Filesize
373KB
MD5141548dd830ee087060c586286ee5978
SHA19dc1fef5803f3e68e5508a05c4c6340a6741702c
SHA25609ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60
SHA512eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519