Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
16d8771f5afb389389946b130e50c429_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
16d8771f5afb389389946b130e50c429_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
16d8771f5afb389389946b130e50c429_JaffaCakes118.exe
-
Size
386KB
-
MD5
16d8771f5afb389389946b130e50c429
-
SHA1
0b5b0ff27ed426e53d0b2298c9556f03913d9a3e
-
SHA256
63478a65e1b3a5863c4eb8b746b1cc5fe4e81a79790b01f9004c4cf9071d9756
-
SHA512
068e4e383a3813035e78ad7e5cc79f05cfcbbcdd4236b53615ebfe102bdfadc393da779b7f976abed62a7ab0a1cba5988216f3b8220b5328efea892d0889e254
-
SSDEEP
12288:2N8tvkTTGy6p/11wtrwWCxqE5/MZcosIo:2N8OP1q0wpxqE1gTo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2860 fP01842FeLpO01842.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 fP01842FeLpO01842.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fP01842FeLpO01842 = "C:\\ProgramData\\fP01842FeLpO01842\\fP01842FeLpO01842.exe" fP01842FeLpO01842.exe -
resource yara_rule behavioral1/memory/2384-1-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2384-17-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2860-25-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2860-29-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2860-37-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2860-39-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fP01842FeLpO01842.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main fP01842FeLpO01842.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe Token: SeDebugPrivilege 2860 fP01842FeLpO01842.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2860 fP01842FeLpO01842.exe 2860 fP01842FeLpO01842.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2860 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2860 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2860 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2860 2384 16d8771f5afb389389946b130e50c429_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d8771f5afb389389946b130e50c429_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16d8771f5afb389389946b130e50c429_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\ProgramData\fP01842FeLpO01842\fP01842FeLpO01842.exe"C:\ProgramData\fP01842FeLpO01842\fP01842FeLpO01842.exe" "C:\Users\Admin\AppData\Local\Temp\16d8771f5afb389389946b130e50c429_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD5bf7dec9585ba7676efa0bca5dbdf822e
SHA182267e4cba56449072ba50459f396b254a1ed0b1
SHA2567880408997811333df11f19d714208cbe0ab2e4c3f19d0c1a80fee02b1f596f5
SHA51279c08293e2bbfacfb4a536617c5ddeb939472ed0bded167a424174af9c90098a6e9593db67ca67d39a12546865d51274cba1cba2eb8ce9fe881d2aeed2f32c4c
-
Filesize
386KB
MD5f80fc20a7a1bad808b8ff8b482742a70
SHA123984f1eafe380011888ca9af34ee28ece804a94
SHA256b9d6090aef6fab162239ce1a1f12f117e8a570cf2f0a167a7b8b3bbc186cb652
SHA5123a23960484b14f6ad511a13c4e2bb4e57e7ddd50ae1ffe588e9c2985ecfc386a1bff9a957acee19395a9b8a5bcfb20b7ca4ef7af50ba721b445738f1e26de5d3