Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
2d95eaa898c7c653be7fe5ad8a8bb394
-
SHA1
f42293cb82ff3a7f9491b9a2498fd15a4144c407
-
SHA256
5224e77e3662f69ae1f554ef4737301567411803828355e0718945ecc7f3d6fd
-
SHA512
b74b177c014d47112f2f236e27b1d8f81ab60255758c12dbb22b07d6d0f4337fc51b3484ad4c87c42d124ae1510f5d4e1e826b17b6cbb90e5ca45b45042f88a3
-
SSDEEP
49152:V6tGner/kIzUBDDExDf29HZjbDLnZc9NH3:4tGe7nmINOV1tcbX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2656 system.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine system.exe -
Loads dropped DLL 4 IoCs
pid Process 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 2656 system.exe 2656 system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\WINDOWS\\system.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\WINDOWS\\system.exe" system.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\WINDOWS\system.exe 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe File created C:\Windows\WINDOWS\system.exe 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe File opened for modification C:\Windows\WINDOWS\install.sys system.exe File created C:\Windows\WINDOWS\install.sys system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command\ = "rundll32.exe" 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe Token: SeDebugPrivilege 2656 system.exe Token: SeDebugPrivilege 2656 system.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2656 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2656 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2656 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2656 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 30 PID 2968 wrote to memory of 1188 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 21 PID 2968 wrote to memory of 1188 2968 2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d95eaa898c7c653be7fe5ad8a8bb394_JaffaCakes118.exe"2⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\WINDOWS\system.exeC:\Windows\WINDOWS\system.exe3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD590f1d356cd7b40db6b538d867f76f4a1
SHA119a9a526ce6cde8af05868cc2c4a1ff215a2d5d9
SHA2562ab20880df3c26d899fbdb9f093636cebf25c55c826aa8a6838b3de32148c959
SHA512e47dfb7b21f93dcdb500d42f0a11f85e2c3dd1bdff566ecb8ca9ab69904934f4aa5c4cfdaae820f33796652bf6e32783e7797bb16861b25bc5c7a2006aebc0e9
-
Filesize
1.7MB
MD52d95eaa898c7c653be7fe5ad8a8bb394
SHA1f42293cb82ff3a7f9491b9a2498fd15a4144c407
SHA2565224e77e3662f69ae1f554ef4737301567411803828355e0718945ecc7f3d6fd
SHA512b74b177c014d47112f2f236e27b1d8f81ab60255758c12dbb22b07d6d0f4337fc51b3484ad4c87c42d124ae1510f5d4e1e826b17b6cbb90e5ca45b45042f88a3