Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
81bc906307d99bcb8b3aeaceb1d51b5c
-
SHA1
9dfd66539c689b2ecaf46fdcdeebf00128e59f87
-
SHA256
191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08
-
SHA512
2d1912e20c73da05e6e5ff9373620ce829647fe23c92e54b20cac74453967831b89c9b00451938fbc3b9497f16b716e756f63540929b342de4d8cec05e5eb3f5
-
SSDEEP
49152:r5cOFNA7o0BM4wpDnqrYTHJ0I24oS6HGpwlSGnf:r5vNOoLpVuI21S6HGuR
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 928 dvj45s81vl7c89u.exe 2468 56m04a7z799e88f.exe -
Loads dropped DLL 10 IoCs
pid Process 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 928 dvj45s81vl7c89u.exe 928 dvj45s81vl7c89u.exe 928 dvj45s81vl7c89u.exe 928 dvj45s81vl7c89u.exe 928 dvj45s81vl7c89u.exe 2468 56m04a7z799e88f.exe 2468 56m04a7z799e88f.exe 2468 56m04a7z799e88f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvj45s81vl7c89u.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56m04a7z799e88f.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID\ = "IMAPI2.MsftDiscFormat2Data.1" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Programmable\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\sdohlp.dll\\1" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E} 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\ = "IAS SDO Helper 1.0 Type Library" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib\ = "{443FC784-A7AA-A9B0-6E89-3A91DED0287F}" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\sdohlp.dll\\1" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID\ = "IMAPI2.MsftDiscFormat2Data" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F} 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS\ = "0" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ = "Evebof Wodiposbo Kocagedpa Object" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Programmable 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version\ = "1.0" 56m04a7z799e88f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2468 56m04a7z799e88f.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 1048 wrote to memory of 928 1048 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 29 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30 PID 928 wrote to memory of 2468 928 dvj45s81vl7c89u.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe" -e -p7k3y195xurds9tc2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5cb29fc6c4d1be6464d118d58750c7286
SHA1d942e69817be663057275b373b308f6f4a5bdea4
SHA256a0ce0051ee944ea54a214588d183deb2b7e72d6aa9d9180fcd16888cf232bef9
SHA512bd1891c0f015ec27c3a5f99c9b89f7f6cd87b9edd2d4e59a79ebfcb1fb35d836b597fec509ca7694ef608e2dd86e0d8d68617587fe649df8fe66db6bd6f492a7
-
Filesize
1.8MB
MD5c0ecef6a5e45a04e9b341ef74a4dd08f
SHA1f1d33665ab2ae2c658bbe6f64dee0986c3ba3d5a
SHA2567f7b866445fd82fb423144bc7403af987a0ae4c1e27d38387a7ba84708856f5d
SHA512fdb0907b853db79d32ca8a0b23fed2c31e2886d247a7d09dc6154b42af734c8ee8da08c9bc7078e9dbc53b15a24d7a85bfabaa0ccd281f314a993a23c15157ac