Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 17:15
Static task
static1
Behavioral task
behavioral1
Sample
4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe
-
Size
120KB
-
MD5
4118cae337d0d50cc1a4e8ba51f0f13f
-
SHA1
d411b0715dc7862ad4480c70ecaa365e9d228620
-
SHA256
579e3c8d36efe7587604443df45545c66bd2541eb71f0c40d8f3fb1ed9688b6b
-
SHA512
80b8c085fe6e50048ee35068e2421cd2bf7d126a08353231116fae591a8920694ea96e5b0ce28ef6c6e3dd8cd1c74a9b5a4c4124053e7056bc4f86bfb7cbc8b7
-
SSDEEP
768:t1n4v6yYsWdhldUurbfty2zkFOmlmroYlf8r/chd6fwCil:vYYdSutpkZp48bZwHl
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4516 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jlgejgei32fg.dll 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe File created C:\Windows\SysWOW64\jlgejgei32fg.dll 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F490415F-65F8-B5C5-D8BA-9405FB12054F}\InprocServer32\ = "C:\\Windows\\SysWow64\\jlgejgei32fg.dll" 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F490415F-65F8-B5C5-D8BA-9405FB12054F}\InprocServer32\ThreadingModel = "Apartment" 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F490415F-65F8-B5C5-D8BA-9405FB12054F}\InprocServer32 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F490415F-65F8-B5C5-D8BA-9405FB12054F} 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1200 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 21 PID 2240 wrote to memory of 4516 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 31 PID 2240 wrote to memory of 4516 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 31 PID 2240 wrote to memory of 4516 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 31 PID 2240 wrote to memory of 4516 2240 4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4118cae337d0d50cc1a4e8ba51f0f13f_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DFD259450208.bat3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225B
MD54eb44d39d986be3df61da03b8ef9486f
SHA1a00535843826473842dc9a6ff5bd7e82a27fd34d
SHA2564380462b5b829425c4fc5d5ddc36686f408f86655563b0f9067843f8552e8bac
SHA512b35075cfabd5806e8e6543a741a4852b8756bf40c86ee4b6e4c3cb8ceace559c76b25ccfc66d102580790d7eec5f33e6a5373c69744a44f026223642a79a7eb3
-
Filesize
177KB
MD5d4a1f4c95ef5949cb6ed86cca5b7bf96
SHA1c613b7b7deae05507d39510f434db275c286497c
SHA256971173d6ba10a1a47b9c2b5b9bd241c0f95f53ca34d4b44c603bf6e032109621
SHA512a52b3f893d7b56317d5cac591ecd854a59827f0b0bcda1aab5bf65bb431d7774bb6975915231dbc3adaa63c282498cdb83a98adf5b188254a95f7280f9cf2534