Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
-
Size
237KB
-
MD5
812723d3e69a8a9543dd2ebeff8a7fa5
-
SHA1
52c49fb43ebb5ef733ffe012c392ba8acceee202
-
SHA256
1ab4bda709b6dec9b2d4df647e0d4372b1aa9a712b65a32fcc33642005d57e08
-
SHA512
9205f751ecbccb1d62a0236c7ddb4132e797d75a375f9191fd626cb86fde6625bb6bbd0bc00ecc3429ec6e7861b577761745514f4a81a0473066c7a7d7fdbae6
-
SSDEEP
6144:2bNfTsrH63mizzzT7nn7EqNuaV60k97lUf+Ld:EAe3mizzzTz7Eioh97lFd
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2236 cb.exe 2204 ic9.exe 1824 EuroP.exe 2776 E4U.exe 2744 Gi.exe 3060 geurge.exe -
Loads dropped DLL 28 IoCs
pid Process 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2236 cb.exe 2236 cb.exe 2236 cb.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2204 ic9.exe 2204 ic9.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 1824 EuroP.exe 1824 EuroP.exe 1824 EuroP.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2776 E4U.exe 2776 E4U.exe 2776 E4U.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 2744 Gi.exe 2744 Gi.exe 2744 Gi.exe 2744 Gi.exe 2744 Gi.exe 3060 geurge.exe 3060 geurge.exe 3060 geurge.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe" Gi.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: geurge.exe File opened (read-only) \??\h: geurge.exe File opened (read-only) \??\k: geurge.exe File opened (read-only) \??\m: geurge.exe File opened (read-only) \??\n: geurge.exe File opened (read-only) \??\p: geurge.exe File opened (read-only) \??\q: geurge.exe File opened (read-only) \??\b: geurge.exe File opened (read-only) \??\j: geurge.exe File opened (read-only) \??\l: geurge.exe File opened (read-only) \??\e: geurge.exe File opened (read-only) \??\r: geurge.exe File opened (read-only) \??\s: geurge.exe File opened (read-only) \??\u: geurge.exe File opened (read-only) \??\v: geurge.exe File opened (read-only) \??\y: geurge.exe File opened (read-only) \??\z: geurge.exe File opened (read-only) \??\a: geurge.exe File opened (read-only) \??\g: geurge.exe File opened (read-only) \??\i: geurge.exe File opened (read-only) \??\o: geurge.exe File opened (read-only) \??\w: geurge.exe File opened (read-only) \??\x: geurge.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral1/files/0x0006000000019490-55.dat upx behavioral1/memory/2744-64-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2744-77-0x00000000059D0000-0x0000000005A2A000-memory.dmp upx behavioral1/memory/3060-88-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2744-100-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3060-104-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3060-116-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log E4U.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 324 sc.exe 1956 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EuroP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language geurge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ic9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E4U.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main Gi.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main geurge.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2776 E4U.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2744 Gi.exe 2744 Gi.exe 2744 Gi.exe 2744 Gi.exe 3060 geurge.exe 3060 geurge.exe 3060 geurge.exe 3060 geurge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2236 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2204 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 31 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1824 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2776 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2744 2592 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 34 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 1824 wrote to memory of 3036 1824 EuroP.exe 35 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 3060 2744 Gi.exe 37 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1468 2744 Gi.exe 38 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 1956 2744 Gi.exe 39 PID 2744 wrote to memory of 692 2744 Gi.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mbz..bat" > nul 2> nul3⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
-
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\geurge.exeC:\Users\Admin\AppData\Local\Temp\geurge.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)3⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)4⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:324
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\tujserrew.bat""3⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5a943a8061383fa691ce9bca68ee0512e
SHA1f89b9e57a0a2ca47e3a9fd7ab6071a25ef117741
SHA25676d679cd188e89bbacacd4b31bb0daae8adc7094c9b43ca04873906d8f7447dc
SHA5126bbb204986e535b2db4b1ff8f60b18282a22a8171899394dbd0a0bb74e40a687864029a5da27b11a28325ab9968c5dd76ada69a794590d697599f0d06a114917
-
Filesize
22KB
MD588afc5e074effdce294e0da16c805d0f
SHA1bf5f183d44ccf8fab7462022a464981c59119d96
SHA256a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e
SHA512c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a
-
Filesize
72KB
MD52ca85ee33f90ba3705885737aa656a40
SHA1e9f4331ef93d63e1c89707d6acdf699fc095a9b5
SHA256b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa
SHA5129ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787
-
Filesize
130B
MD5d08cb97e3b90ca2dac463f834008b9b9
SHA13db0d4da98d144669284f50d9e8ea87a988ac93a
SHA256033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9
SHA512d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d
-
Filesize
58KB
MD54799c30743d59d162a7a4d0f16bce415
SHA121b11dfedac88b1009b6459b92076b2278954183
SHA256acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1
SHA512bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd
-
Filesize
3KB
MD546e07fd3a40760fda18cf6b4fc691742
SHA153ee1a754bf5e94fa88a6ab8bb6120b4011afcfa
SHA256bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be
SHA512ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd
-
Filesize
81KB
MD528ee9992c5cc76a2a2385eaa7423411c
SHA196b5485154f44094627770d5fcf7a4a80aaa111e
SHA2569fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1
SHA51216ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e