Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
-
Size
14KB
-
MD5
561d055cc6c0da0756a01748ce967058
-
SHA1
8303f42074385c1a54302b4a785c90953b7250cc
-
SHA256
ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd
-
SHA512
44e3b821fb1005865036b3f9d1c418c6c016ec09fde394c725706ce7d96fbe3625190177eae784561198a772c05821a31ec7f34f6be059a3d112481e4e98ead1
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4bCl:hDXWipuE+K3/SSHgxm0O
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2228 DEMD153.exe 2704 DEM26E2.exe 2360 DEM7C41.exe 2392 DEMD192.exe 2800 DEM27BC.exe 1108 DEM7D0C.exe -
Loads dropped DLL 6 IoCs
pid Process 2668 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 2228 DEMD153.exe 2704 DEM26E2.exe 2360 DEM7C41.exe 2392 DEMD192.exe 2800 DEM27BC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM26E2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7C41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD192.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM27BC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2228 2668 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2228 2668 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2228 2668 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2228 2668 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 32 PID 2228 wrote to memory of 2704 2228 DEMD153.exe 34 PID 2228 wrote to memory of 2704 2228 DEMD153.exe 34 PID 2228 wrote to memory of 2704 2228 DEMD153.exe 34 PID 2228 wrote to memory of 2704 2228 DEMD153.exe 34 PID 2704 wrote to memory of 2360 2704 DEM26E2.exe 36 PID 2704 wrote to memory of 2360 2704 DEM26E2.exe 36 PID 2704 wrote to memory of 2360 2704 DEM26E2.exe 36 PID 2704 wrote to memory of 2360 2704 DEM26E2.exe 36 PID 2360 wrote to memory of 2392 2360 DEM7C41.exe 38 PID 2360 wrote to memory of 2392 2360 DEM7C41.exe 38 PID 2360 wrote to memory of 2392 2360 DEM7C41.exe 38 PID 2360 wrote to memory of 2392 2360 DEM7C41.exe 38 PID 2392 wrote to memory of 2800 2392 DEMD192.exe 41 PID 2392 wrote to memory of 2800 2392 DEMD192.exe 41 PID 2392 wrote to memory of 2800 2392 DEMD192.exe 41 PID 2392 wrote to memory of 2800 2392 DEMD192.exe 41 PID 2800 wrote to memory of 1108 2800 DEM27BC.exe 43 PID 2800 wrote to memory of 1108 2800 DEM27BC.exe 43 PID 2800 wrote to memory of 1108 2800 DEM27BC.exe 43 PID 2800 wrote to memory of 1108 2800 DEM27BC.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\DEMD153.exe"C:\Users\Admin\AppData\Local\Temp\DEMD153.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe"C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe"C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\DEMD192.exe"C:\Users\Admin\AppData\Local\Temp\DEMD192.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe"C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe"C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe"7⤵
- Executes dropped EXE
PID:1108
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53fd6bd3ec8d4904e66ab1c8ba77ed9bc
SHA17904197d24e28ea985770aa072aaf4bbcdace6b6
SHA256b0c2050798487c4eea58ca8f1cb85dd2a850c048ce10c8b4e24d663a876f8225
SHA51252842b858f9c30feea15d54b133d0560e519e0538ff3fee49ed452d7db7d55e1f5928194fd1a1d5b473d56cc710660e728b7209cd06ee5b11632853aa8a6b3b2
-
Filesize
14KB
MD5dd0257a7aaf7a5a75cb641cb18001c88
SHA106878e142c4e2a4cc52c99c3fee1b35b7272491e
SHA256308c9a3d3145da31d60b5abc12f44c7c779a8fe3599fa0b3eaee78507492e9e5
SHA512516098074fb33b7e2b1595186d46bc32a3db07d575ae5128dfe0700c7421e38539c9c0227d2dd5557cfc0452da4842d81b9ce371e085fdbace4a0ff2fc5a266f
-
Filesize
14KB
MD59ad3309626246b803ebe262c2b0c5745
SHA10572f26a0bab70a3235b1bdfa89c1bde5b0e8d50
SHA256b9b8563dfcfba0fd2469cdcd44a3502bb298ea475dd8f29d64bda404fe7dea91
SHA51254f12fe4edf6a7b7b6f5fc518d86939817a986e2e6da1ee93a17c02fb0a03c78afe3b8d6c8964641e8e874689a4449f07a93f983198afaf4da49c1341aeb6084
-
Filesize
15KB
MD52cb976e0b7735a51fc6591a8b3b2159f
SHA16d9f4d90d57c2aa57aea4bbb64a505f4b6569cb9
SHA2567790d8858628cfd38b4a1e82827a6ed53eab2639dc3ab532b4e9ff8e948f1ea8
SHA5120a02704af4f1f5acced325e89643a52d9d4288098e243a6994d30b14fbcd79ee91417e9d365788c77d0a4a2299a5df3558057734c666d0fa0bf266b27ec91aae
-
Filesize
14KB
MD5b32f95d1003b545f196357fd14386cc0
SHA154a82112f4fcc9765a5ac6fa8fa9da991115f62c
SHA256c42cf979856a12eab782a2cae87d51aa433598d86caf90ba2c3c2036683b9c9d
SHA51293bf75d68a47a50edfde822505cd36582d7ff6f5b915b78180076fa621128b56b971dba19f8aa5eea4f73b2c07f74770246d1e8bf156ec67245243d7db43034d
-
Filesize
14KB
MD58543c45e3eaf2928127dc359252d60ff
SHA12405d2b14235fe7b5d875f660c49512958741644
SHA256973bc6d04c4487aa7d1e6d668f7aa0f5731be6e87bc82363ebd79097b44410c2
SHA512ccee4fc69fde55aafad6a7aaf31c7b59702f319c74b88f520a1de87feaf83bf63fa4cf681a8dd10aa489aaadd33ca4b7cd0787925de44e51763b6a9f538f8b4e