Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 00:41
Behavioral task
behavioral1
Sample
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
4fec229537f5f9df324406adf36a4c3b
-
SHA1
8024584d4a7686dd637c922c2721fbcd713106ee
-
SHA256
a341c4825ac29349b487b06073cc546fd16cd5beff26f1be7abc46a7adfdeb61
-
SHA512
884d6d7ef3dba02b9ace35d9ca8823f62f59d095c7eebffdde9f83adda53299304bc86745a2a551e2f3404a98513b51dce3c0511c322e3e0b2a681b9014f84a2
-
SSDEEP
49152:3tvjlNxTEFxdNJiEnlUOKhlRmr3nE+qtiBkutNe9ecNNsi/sLDqn8SrAzE:3tvj9+NJiSklwfNBDtwx8DqTAz
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x003100000001926b-16.dat aspack_v212_v242 behavioral1/files/0x000800000001939b-20.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2856 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2704 ssinitar.exe 2320 setup.exe -
Loads dropped DLL 6 IoCs
pid Process 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 2320 setup.exe 2320 setup.exe 2320 setup.exe 2768 Rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 setup.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssinitar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2320 setup.exe 2320 setup.exe 2320 setup.exe 2320 setup.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2320 setup.exe 2320 setup.exe 2320 setup.exe 2320 setup.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 2320 setup.exe 2320 setup.exe 2320 setup.exe 2320 setup.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1456 wrote to memory of 2704 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 29 PID 1456 wrote to memory of 2704 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 29 PID 1456 wrote to memory of 2704 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 29 PID 1456 wrote to memory of 2704 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 29 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2320 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 30 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 1456 wrote to memory of 2768 1456 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 31 PID 2768 wrote to memory of 2856 2768 Rundll32.exe 32 PID 2768 wrote to memory of 2856 2768 Rundll32.exe 32 PID 2768 wrote to memory of 2856 2768 Rundll32.exe 32 PID 2768 wrote to memory of 2856 2768 Rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\lqeffm\ssinitar.exeC:\Users\Admin\AppData\Local\Temp\lqeffm\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\lqeffm\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\lqeffm\setup.exe"C:\Users\Admin\AppData\Local\Temp\lqeffm\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe "C:\Users\Admin\AppData\Local\Temp\lqeffm\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.execmd /c .\danulev1.bat3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372B
MD54cf46538f6bc9df8a2f2b59ce48a9c8e
SHA13509e18b9aa813cae65108c2d5786c0518013111
SHA256bf3128468e9974c14fd7b730fb98077834e335d1a259ee2a3583ea2c2265986c
SHA5120bc3ad66c43f7e53d94dd103f77962955f4b5bb8808da06e8f0f675ce119d9dec9e771b4a743423bd9cd5fc72f2e084a70ca3b082da9e61a70d17c6ac5f8345a
-
Filesize
757KB
MD5a22487dba32e72c3af8141726c3df140
SHA15bb9c3829be0180f5da8e101a51bfacaa773e447
SHA2563e138bb787e210ae8aba4c2deccf0171b9f47ab01f8b47057239cb15bc4ed3cc
SHA512adc2f10830da3dc1c784947a05a2f40f3c760878b6afb65b8da06312681406bfc3d06bec0e6165b0b16bf910f3c989559787fab74df4c591c83fe96d1eb654d4
-
Filesize
923KB
MD5a9e5b2cd7c58d8e10e480abfce5a722e
SHA147412231f825da4702e299ebf16cdbed15415c47
SHA25693d9b6a161bb646cd45f3ce412e1b0b2dd643f463791f8447583063b567533e5
SHA51273d303dfbe97e8856a3c30ddfbd0b02151c52d75f50f13f95cbab7eb4d2cc5f806e510e449898743ba0da2c8208fa588d710176260cdefe35639a6f54c696f97
-
Filesize
923KB
MD5271153e73ccb8148b1e924c74cbcd727
SHA1b92c6e3f6c59ccd6851bbe5672a75f7aefb54ec5
SHA256f1d7791d2d623811c0d7cc8e52591ae46d3eb70bd3182d20616ebecff5358646
SHA512489d3af15878600df822705abbc9969be2bb05dfc30ded4fbe12bd693a364f6bcfbcd343e3800e03741c671730b0be7cf372e5cfdfdaf5f8f0389986ea8f67e1
-
Filesize
1.7MB
MD5aa27236bd7607f5d524d55b7cf360686
SHA10ba8a5d74ec139cb30a90e0e13ded45feeb31c76
SHA2567c14f147d1924c3c3de94813da3ec95a7e6c17c69058bb9d36759d9589745974
SHA5128e9c9cb481bcf3b1bbae13ee2fc2cfdf47fb20359a3cb2f65732447b0c2fea35abd1b40f12a288c84ed88482ac20cfeff7d5ef73944dd4dbf219e66e96332483