Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 00:41
Behavioral task
behavioral1
Sample
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
4fec229537f5f9df324406adf36a4c3b
-
SHA1
8024584d4a7686dd637c922c2721fbcd713106ee
-
SHA256
a341c4825ac29349b487b06073cc546fd16cd5beff26f1be7abc46a7adfdeb61
-
SHA512
884d6d7ef3dba02b9ace35d9ca8823f62f59d095c7eebffdde9f83adda53299304bc86745a2a551e2f3404a98513b51dce3c0511c322e3e0b2a681b9014f84a2
-
SSDEEP
49152:3tvjlNxTEFxdNJiEnlUOKhlRmr3nE+qtiBkutNe9ecNNsi/sLDqn8SrAzE:3tvj9+NJiSklwfNBDtwx8DqTAz
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000a000000023b84-15.dat aspack_v212_v242 behavioral2/files/0x000c000000023b82-17.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 4596 ssinitar.exe 1952 setup.exe -
Loads dropped DLL 1 IoCs
pid Process 3388 Rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 setup.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssinitar.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1952 setup.exe 1952 setup.exe 1952 setup.exe 1952 setup.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1952 setup.exe 1952 setup.exe 1952 setup.exe 1952 setup.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 1952 setup.exe 1952 setup.exe 1952 setup.exe 1952 setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4160 wrote to memory of 4596 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 87 PID 4160 wrote to memory of 4596 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 87 PID 4160 wrote to memory of 4596 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 87 PID 4160 wrote to memory of 1952 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 88 PID 4160 wrote to memory of 1952 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 88 PID 4160 wrote to memory of 1952 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 88 PID 4160 wrote to memory of 3388 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 89 PID 4160 wrote to memory of 3388 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 89 PID 4160 wrote to memory of 3388 4160 4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe 89 PID 3388 wrote to memory of 3936 3388 Rundll32.exe 92 PID 3388 wrote to memory of 3936 3388 Rundll32.exe 92 PID 3388 wrote to memory of 3936 3388 Rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\vzctyq\ssinitar.exeC:\Users\Admin\AppData\Local\Temp\vzctyq\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\vzctyq\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\vzctyq\setup.exe"C:\Users\Admin\AppData\Local\Temp\vzctyq\setup.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe "C:\Users\Admin\AppData\Local\Temp\vzctyq\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\4fec229537f5f9df324406adf36a4c3b_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\danulev1.bat3⤵
- System Location Discovery: System Language Discovery
PID:3936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372B
MD55ac85abfbae2ba225b7cd376f929ef96
SHA155193ef6e88bf194b62e1ddce6fd94ad8ac79fa1
SHA256dc879d5593517c8e936cc37e59aaaedb456ae0d78dfbff3c19210928b795a2f8
SHA512809ff28c7360175185cc4527b168fd5670c2136545d9d3b4f7e48cbcafb903a2179d0c422af3f281daa3cfbb304431842dc1a17b957cb605958849a2909dfcf8
-
Filesize
757KB
MD5f74dcbfb7d7f36644d65d41720dc7446
SHA16e6a90d5101870cf0a901e6b0e5ffb5775c1f3df
SHA25685e92ff738426068d7fc3c9c1492aa770fa30fa773129c0c3c7cb3ad181a95bb
SHA51235c418a0019858f475da9264927e51ffd6d55842b0805c180b6827b1b036317e9b564fc8b55ac3d99689c446f4093e76125e0b978e44de533a98dfeab9b1b643
-
Filesize
923KB
MD5271153e73ccb8148b1e924c74cbcd727
SHA1b92c6e3f6c59ccd6851bbe5672a75f7aefb54ec5
SHA256f1d7791d2d623811c0d7cc8e52591ae46d3eb70bd3182d20616ebecff5358646
SHA512489d3af15878600df822705abbc9969be2bb05dfc30ded4fbe12bd693a364f6bcfbcd343e3800e03741c671730b0be7cf372e5cfdfdaf5f8f0389986ea8f67e1
-
Filesize
923KB
MD5a9e5b2cd7c58d8e10e480abfce5a722e
SHA147412231f825da4702e299ebf16cdbed15415c47
SHA25693d9b6a161bb646cd45f3ce412e1b0b2dd643f463791f8447583063b567533e5
SHA51273d303dfbe97e8856a3c30ddfbd0b02151c52d75f50f13f95cbab7eb4d2cc5f806e510e449898743ba0da2c8208fa588d710176260cdefe35639a6f54c696f97
-
Filesize
1.7MB
MD5aa27236bd7607f5d524d55b7cf360686
SHA10ba8a5d74ec139cb30a90e0e13ded45feeb31c76
SHA2567c14f147d1924c3c3de94813da3ec95a7e6c17c69058bb9d36759d9589745974
SHA5128e9c9cb481bcf3b1bbae13ee2fc2cfdf47fb20359a3cb2f65732447b0c2fea35abd1b40f12a288c84ed88482ac20cfeff7d5ef73944dd4dbf219e66e96332483