Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
wy.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
wy.exe
Resource
win10v2004-20241007-en
General
-
Target
4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
-
Size
423KB
-
MD5
4b0fae714497cb3a60037e8f543d8ae9
-
SHA1
8e53ff1ec3abcfe5cff2fe45c5feeef24a4ec918
-
SHA256
829e8c5cb3aa8455f983872bb992e2e92966b940745e597c10742258c10b4173
-
SHA512
c75e9b46087bde983bd56dfa88d2d706e0d135b487e9689c9cf2a05df97067771b6d81cd920c879fd2f604f545f8d1fa0308fa83d00ed80099f1a55088ae4b5e
-
SSDEEP
6144:csgZ0IeJo5wTNxC5yuQJjXOQbJJ7TN26lELeuWcr+KYJccBWRXTH:MZ0254rucLJnlYeirGBBWRb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2700 wy.exe 2752 wy.exe -
Loads dropped DLL 9 IoCs
pid Process 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 2700 wy.exe 2752 wy.exe 2700 wy.exe 2752 wy.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016d0b-17.dat nsis_installer_1 behavioral1/files/0x0007000000016d0b-17.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main wy.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe 2752 wy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2700 wy.exe 2700 wy.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2700 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 30 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31 PID 1936 wrote to memory of 2752 1936 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\ProgramData\37wan\wy\wy.exe"C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\ProgramData\37wan\wy\wy.exe"C:\ProgramData\37wan\wy\wy.exe" /setupsucc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381B
MD5fe609059a9a3871184f86b1825599c19
SHA116e1a7b1381c9bd3aa78aa416db8d1429706e53c
SHA256517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f
SHA51211a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6
-
Filesize
393B
MD5d218c8f7335bbae0c2bf07b9b4f784f0
SHA15b7b513ca3e81c167ccdfcac615295056cfa2dee
SHA2563b0eabe6f8e72e8490ef064587dc81217401c6a2b01ed511bbe77603447d722c
SHA51299fda78be5f94ef8616ba126557f17609a731768cde7ca53df5740a7ad56841baf587b29649f5265836bf992671cd02a31ff99b8e86ec2c6d75a374e3d2e9d0b
-
Filesize
64KB
MD5c1c0b7d9d1c3774db756dbf800fa7e96
SHA14ca05b1e96bf3045c6361fa743f4ec0ccc6f625c
SHA25602308440ae87d5560305623ff4e4e9296cc36e565bc3d4a209d51952bfb3b3b5
SHA51270d8b1ac41f59d5a829b5f54c6b7e01036026915e3beaf7bcecbde95e54974ad4f1e1bc8497db3d55e20d87436b98b1e25c6dc03a8c8e786e30e6845d277dfde
-
Filesize
1.9MB
MD5b18c3fbda7f860cacd7009ca0b0a50c2
SHA12a5ee5d73b29dc2e072b25192acdf18931acc1c8
SHA2565850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb
SHA512c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667