Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
8193921c017358677073e954745e86ed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8193921c017358677073e954745e86ed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8193921c017358677073e954745e86ed_JaffaCakes118.exe
-
Size
224KB
-
MD5
8193921c017358677073e954745e86ed
-
SHA1
9ab8e86034475a0bde55729fd2bbff0796baf695
-
SHA256
9f9bbe3b5733adff8b9c349407580800e767cd01eb71dbbe2f7df78c87f8dca2
-
SHA512
974df8c61a371d615352949438ec870dc1ec82701eae976843122091bca1751e8fbd1d9be105e1c30e560e3df4f693c4ddb4f11477d95ec1f57b9ac01bfb4152
-
SSDEEP
3072:k4JwsSux9D3OaiGY0VdV6dUPuD0VKir9QzFL6aqEYDKEuj/Rr0kAx:k4n3OBWvV6KPPUw+6aqEYGE8RokG
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1524 259433874.exe 2848 259434826.exe 2836 QQ2011.exe -
Loads dropped DLL 9 IoCs
pid Process 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 2848 259434826.exe 2848 259434826.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2084 2848 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8193921c017358677073e954745e86ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 259433874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 259434826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ2011.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2848 259434826.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1524 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 1524 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 1524 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 1524 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 30 PID 1524 wrote to memory of 2160 1524 259433874.exe 31 PID 1524 wrote to memory of 2160 1524 259433874.exe 31 PID 1524 wrote to memory of 2160 1524 259433874.exe 31 PID 1524 wrote to memory of 2160 1524 259433874.exe 31 PID 2384 wrote to memory of 2848 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2848 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2848 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2848 2384 8193921c017358677073e954745e86ed_JaffaCakes118.exe 33 PID 2848 wrote to memory of 2836 2848 259434826.exe 34 PID 2848 wrote to memory of 2836 2848 259434826.exe 34 PID 2848 wrote to memory of 2836 2848 259434826.exe 34 PID 2848 wrote to memory of 2836 2848 259434826.exe 34 PID 2836 wrote to memory of 2736 2836 QQ2011.exe 35 PID 2836 wrote to memory of 2736 2836 QQ2011.exe 35 PID 2836 wrote to memory of 2736 2836 QQ2011.exe 35 PID 2836 wrote to memory of 2736 2836 QQ2011.exe 35 PID 2848 wrote to memory of 2084 2848 259434826.exe 36 PID 2848 wrote to memory of 2084 2848 259434826.exe 36 PID 2848 wrote to memory of 2084 2848 259434826.exe 36 PID 2848 wrote to memory of 2084 2848 259434826.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\8193921c017358677073e954745e86ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8193921c017358677073e954745e86ed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\259433874.exeC:\Users\Admin\AppData\Local\Temp\\259433874.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\259433874.exe3⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\259434826.exe"C:\Users\Admin\AppData\Local\Temp\259434826.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\QQ2011\QQ2011.exeC:\Users\Admin\AppData\Roaming\QQ2011\QQ2011.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2283⤵
- Loads dropped DLL
- Program crash
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54b54f3964c4d90a0fca8702309240e78
SHA1c5f7fc4fb4d3cb4035c5671bbe6ef4d025a48abe
SHA2560a7d73320f550a97d1a2f9a1e3db8e3beea41b74e64e44c82eca8eae362d9b8f
SHA51219b6a77adbde8e0118c3fbade9a7eb6e2b278071a2e07dedddb118a6411dac42a5b7d4075ab324e1293c4e25501a5f474c663ad81afb4b4d601886b28987f1fe