Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
-
Size
400KB
-
MD5
837b3ee12cc0ddd81bfcf0c7b57e3dfc
-
SHA1
70612835e9d261454200ce963af55bb553b8b486
-
SHA256
e356e0ab1bc38eac26f1e4caea3acae40f70b910a961555ae1c6ffa02a4d20a8
-
SHA512
7df022a6445e09d52c39c717ebc3b77b3201beb2ab09d8c0aea4cc88f4253a708fa63949d27d21f04626fcdbc33bbd6293e3248f792adc7b769c6cec0d8ccca0
-
SSDEEP
6144:xpMt2bRtHVlAKFMFkBiCl1zfWbq4iofuz3rWrthaU1m4R0a6LD:xpMt2/H/Fxi+1z0q4NWz7Wna
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2772 your_exe.exe 2688 1281085013.exe 2896 install.48596.exe -
Loads dropped DLL 8 IoCs
pid Process 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 2688 1281085013.exe 2896 install.48596.exe 2896 install.48596.exe 2896 install.48596.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1281085013.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.48596.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language your_exe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2772 your_exe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1720 2848 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2772 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 32 PID 1720 wrote to memory of 2772 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 32 PID 1720 wrote to memory of 2772 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 32 PID 1720 wrote to memory of 2772 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 32 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2688 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 1720 wrote to memory of 2896 1720 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 34 PID 2772 wrote to memory of 2820 2772 your_exe.exe 36 PID 2772 wrote to memory of 2820 2772 your_exe.exe 36 PID 2772 wrote to memory of 2820 2772 your_exe.exe 36 PID 2772 wrote to memory of 2820 2772 your_exe.exe 36 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38 PID 2896 wrote to memory of 1912 2896 install.48596.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\your_exe.exe"C:\Users\Admin\AppData\Local\Temp\your_exe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\your_exe.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\1281085013.exe"C:\Users\Admin\AppData\Local\Temp\1281085013.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\install.48596.exe"C:\Users\Admin\AppData\Local\Temp\install.48596.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zxp..bat" > nul 2> nul4⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\domain_profile[1].htm
Filesize8KB
MD5e13dc56e321e22d0cd5dd7334ea994ce
SHA1135c2d6c420e891b6132671dcf59c21579096789
SHA2560a5ea53bc287ecb32d41eaa6bf3cd6aea27bfeef0c0f65ed04362e58dad3422a
SHA5128cf29a3426b8201928f26ae5bbf2217a44bad3fef82cb2d9abffa0382d82e8f3b800b70c419083e1001e4b2d5f688768218184330bd570f3eb211a57b026de96
-
Filesize
172B
MD5c33eea8a46d07a704cb779c6dc84c12a
SHA1649151c6d4416f693a74857693e16e2195fb2d7c
SHA2563568407aa5d11fb1219fc6f1e4e8f4d90acef87a178cd886b2b379f7279de3c5
SHA5125171f18a5fde3a37877f35ac4dc1715428754c35b4ea3a1d2d3646c7ddebc2b7ae38d03af4146270d70c4274895c74fbfa1d43fb152532b4cef01ce1841f7350
-
Filesize
92KB
MD573ab199d7ab02007c908122e892ca1c3
SHA101614a27abc6a64ed6479ca2f6596b8b6d2d31a6
SHA2563d0932127b9ae4643a8040b11deff670ce00844a0a4dc9bccc2cd6f4c715cd5f
SHA512b506ad5d819d4d289148a91c5905cf9e65846c2a4a7f1f51585218728f54dc334c605df5d434f2c97e1bb353d6ec737fbbd3ba7763be107c969a0ff2de7346fb
-
Filesize
129KB
MD54eea964cf5ee8eaaa4561798f69ed259
SHA1f6fa8f310f8a439941acbeb25d3653c8cd130318
SHA2563f9ea9e74b1a280508dacd0312b144b1c44d6f08077783656dd45f1b0df9144f
SHA51296d080102bf3e99581b4e8dd98e40174a0709bb237ff042b869fb404ad24ebc4b74e33844bd10c378692c561298dafa346577094b6ae763e5e3740b8c6fb4b20
-
Filesize
22KB
MD575ecb408da996d0d7f33dd77f6eb1c9c
SHA1b836e9125bd643358bda960e50637a8ea172b495
SHA256fa8652151b8bb6daeb86b97c5c705886028e587a5be366e0c228849c9bcbd078
SHA512f9933923ccfbc04ddb95090a78698737355128aff01fd2713a1cd029c5c32bc37d29c01714c663eaa89ca604efdd80b16a27ec8ed7eb2769837a7130fa7bbccd