Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 10:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe
-
Size
56KB
-
MD5
17b97e5ff8974b521d062fdf2fb1feda
-
SHA1
ce3569f04db7a15d3ce2a725b8afb26395f17a32
-
SHA256
01bcb88981aab367c111a35773bb62403d54d0c82be51dbbf2a4a614d785a1b4
-
SHA512
fc489ddbbda27f89dd64a439ddacdcb224e964c40a7e3690c56d2d5e52a24ac50058d025f813cc51aca69a79935a9e9fcd21b40dda637841d7380bf5ec045c82
-
SSDEEP
1536:N97Pk9zlD8HOXlXsX3XnkcUckD98kMEk7I:b7ezlyzkcUckD98kME7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kieci.exe -
Executes dropped EXE 1 IoCs
pid Process 2884 kieci.exe -
Loads dropped DLL 2 IoCs
pid Process 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieci = "C:\\Users\\Admin\\kieci.exe" kieci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kieci.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe 2884 kieci.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 2884 kieci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2884 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2884 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2884 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2884 2724 17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe 30 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29 PID 2884 wrote to memory of 2724 2884 kieci.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17b97e5ff8974b521d062fdf2fb1feda_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\kieci.exe"C:\Users\Admin\kieci.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5cc4abed821a506226fcee0291142c3ac
SHA169815032dffac946b79c1165bf0b84f327906f0e
SHA2563b53be18fc8bd66609e892f490d2edd14a5aa6e858ea075e6e97439123a38ade
SHA51288d232c01442206f262c8c00426461cdef9c49aaa781d2e0c44647e1c2a322ffe26c8894c64d2d5ba5d1a132e86c1e4fb98388854658418667226d46cb4b4ddd