Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 22:48
Behavioral task
behavioral1
Sample
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
-
Size
782KB
-
MD5
373212a60a8702b87c205cf0179d423d
-
SHA1
47bc8210c282aa1faba6e423154504d8e28a48e6
-
SHA256
32c32ba223885385007dea2bb1904096b4dbf7dd6de2d4d816e3d600bb960cbe
-
SHA512
cba825c1739ed9fceb2a3dd983e159549cfa10ed4f67c183d5eb6d36b403d032b005fdf3ebc897db33e12e049f2941fc84072c4de7ac0dbaeca33ea8cae0a1cd
-
SSDEEP
12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1h:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8A
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2804 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
agboy.exewicic.exepid process 2384 agboy.exe 2288 wicic.exe -
Loads dropped DLL 2 IoCs
Processes:
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exeagboy.exepid process 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe 2384 agboy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wicic.exe373212a60a8702b87c205cf0179d423d_JaffaCakes118.exeagboy.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wicic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agboy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
wicic.exepid process 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe 2288 wicic.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wicic.exedescription pid process Token: 33 2288 wicic.exe Token: SeIncBasePriorityPrivilege 2288 wicic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exeagboy.exedescription pid process target process PID 2932 wrote to memory of 2384 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe agboy.exe PID 2932 wrote to memory of 2384 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe agboy.exe PID 2932 wrote to memory of 2384 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe agboy.exe PID 2932 wrote to memory of 2384 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe agboy.exe PID 2932 wrote to memory of 2804 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2932 wrote to memory of 2804 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2932 wrote to memory of 2804 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2932 wrote to memory of 2804 2932 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2384 wrote to memory of 2288 2384 agboy.exe wicic.exe PID 2384 wrote to memory of 2288 2384 agboy.exe wicic.exe PID 2384 wrote to memory of 2288 2384 agboy.exe wicic.exe PID 2384 wrote to memory of 2288 2384 agboy.exe wicic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\agboy.exe"C:\Users\Admin\AppData\Local\Temp\agboy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\wicic.exe"C:\Users\Admin\AppData\Local\Temp\wicic.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD59e1b9b2ae3f5753a19953a29c9068a4a
SHA115d49110d07d55455262ee187f5e69f258bbcf5a
SHA2565cf8853f308c6a39871a5a9a9d6eb32e904a401de7ab4adef58be92b6c085507
SHA512e1b1b722ce035d7ca761e05871409ea2021cc9b6618a752103e49fbbdc6eab395e887a63f1ba556a01062ac9e457e286996aa7b4c57069f15fc721e7df485937
-
Filesize
512B
MD51daff93c5de03c009628a9c9a0f72705
SHA14d2ec09c708e4410210b69bfc4cfcb6919f8dca6
SHA256cb62e840f47b1054bbe85a04a663c7867d39d456f2d5c1f0f8cddd59742cc5c9
SHA5123c6129d93ba06d488304b28039f218ebdee92b358ff17d84a284660e7e78a375fdf1ab7822737682d5b6fe2819b6f32e91bbc883b346d1b35871058a5432f6b5
-
Filesize
782KB
MD5bd0e38975ac84dd13a020fe06e2154f0
SHA1f387bd605c3189f8a844cb8d996278cc084ff902
SHA2568316bcdcc97a6f922157a28408dcff28a45d3199a37344e1d6f03e7cfdeafe97
SHA512802d1a0db08039b7c25644097466f81b6ebe425921b8820881f695d1dc5bbf9fac2d452c4113a52eb55d7dd1aa0f8fe1c83a484dc2695eccd1f08e334645ee88
-
Filesize
156KB
MD5083573d4e6de88d81f80a586665c53cd
SHA15e164d308015c621efa8a99a08d711e6d832934d
SHA256caca43c976e84713a387c37c143a800814af19745caf8a83002daf1c55f71e97
SHA51261101e69cf59a6f6e40b1c604e0cda600f0443f1502db5de33dc26855c388805716cadf59bdd4a00f9d7bbdbf71915e06927bf8b1f1460eadbb97f0fbf26ed22