Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 17:15

General

  • Target

    4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    4118cae337d0d50cc1a4e8ba51f0f13f

  • SHA1

    d411b0715dc7862ad4480c70ecaa365e9d228620

  • SHA256

    579e3c8d36efe7587604443df45545c66bd2541eb71f0c40d8f3fb1ed9688b6b

  • SHA512

    80b8c085fe6e50048ee35068e2421cd2bf7d126a08353231116fae591a8920694ea96e5b0ce28ef6c6e3dd8cd1c74a9b5a4c4124053e7056bc4f86bfb7cbc8b7

  • SSDEEP

    768:t1n4v6yYsWdhldUurbfty2zkFOmlmroYlf8r/chd6fwCil:vYYdSutpkZp48bZwHl

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe"
        2⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\DFD259450208.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:4516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DFD259450208.bat

      Filesize

      225B

      MD5

      4eb44d39d986be3df61da03b8ef9486f

      SHA1

      a00535843826473842dc9a6ff5bd7e82a27fd34d

      SHA256

      4380462b5b829425c4fc5d5ddc36686f408f86655563b0f9067843f8552e8bac

      SHA512

      b35075cfabd5806e8e6543a741a4852b8756bf40c86ee4b6e4c3cb8ceace559c76b25ccfc66d102580790d7eec5f33e6a5373c69744a44f026223642a79a7eb3

    • C:\Windows\SysWOW64\jlgejgei32fg.dll

      Filesize

      177KB

      MD5

      d4a1f4c95ef5949cb6ed86cca5b7bf96

      SHA1

      c613b7b7deae05507d39510f434db275c286497c

      SHA256

      971173d6ba10a1a47b9c2b5b9bd241c0f95f53ca34d4b44c603bf6e032109621

      SHA512

      a52b3f893d7b56317d5cac591ecd854a59827f0b0bcda1aab5bf65bb431d7774bb6975915231dbc3adaa63c282498cdb83a98adf5b188254a95f7280f9cf2534

    • memory/1200-1009-0x0000000002550000-0x0000000002551000-memory.dmp

      Filesize

      4KB

    • memory/2240-0-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2240-1017-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.