Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
159a037a37339a28dfbf8af93f3efdeb
-
SHA1
17bf99c8c7b97385773ccf1b186a9eea9e74fdac
-
SHA256
cec0150ad1e839c303bfff7282abe1d1385fa455141f19c46358a8977bff8513
-
SHA512
ff56a732d5d8269791a589401bb498d80d56f906675c2c5620aec4f13682ea8ab40e4b9433f00d09f9e37dc7dfa30ed82b73964aed56134a36781c163d9f3f0f
-
SSDEEP
12288:NceA/yvZlvENoBh/LzN4V2BDBFmszSjY:aeZlMNoBXeeCszS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1644 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2256 360.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\uninstal.bat 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe Token: SeDebugPrivilege 2256 360.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2256 360.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2256 360.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2256 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 31 PID 2172 wrote to memory of 2256 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 31 PID 2172 wrote to memory of 2256 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 31 PID 2172 wrote to memory of 2256 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2264 2256 360.exe 32 PID 2256 wrote to memory of 2264 2256 360.exe 32 PID 2256 wrote to memory of 2264 2256 360.exe 32 PID 2256 wrote to memory of 2264 2256 360.exe 32 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33 PID 2172 wrote to memory of 1644 2172 159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159a037a37339a28dfbf8af93f3efdeb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Documents and Settings\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe"C:\Documents and Settings\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5144d7d1d50a4f9d6178277d3eefe9898
SHA13fa3eb446878fce967122cd2e469c133848d4ca7
SHA256584dd65605cdca417ca139b7c458bf695f227d959cfe97c136d608af3a7334ca
SHA51241faaec83f4bec22bdc013201f62ee1bfcb906cd8013cda3536e5587395d1cba2fb0992098e32cd793a1dcfee0e363fadb4fdffc9f287e5571c638c93d3ba515
-
Filesize
1.3MB
MD5159a037a37339a28dfbf8af93f3efdeb
SHA117bf99c8c7b97385773ccf1b186a9eea9e74fdac
SHA256cec0150ad1e839c303bfff7282abe1d1385fa455141f19c46358a8977bff8513
SHA512ff56a732d5d8269791a589401bb498d80d56f906675c2c5620aec4f13682ea8ab40e4b9433f00d09f9e37dc7dfa30ed82b73964aed56134a36781c163d9f3f0f