Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 00:52
General
-
Target
9ee65f785d4480376250b8fa48b573fe_JaffaCakes118.exe
-
Size
98KB
-
MD5
9ee65f785d4480376250b8fa48b573fe
-
SHA1
9b6fc772d8331e9b8e5102bfe7a05a1adcf2aa94
-
SHA256
d5c57d5bbadfbbc34008a91f411e6f5b6821073b8fc5c629661ad800ddf10918
-
SHA512
6cc47b9651f2ecd2c636713f61eab7dd6bccfa6445edbdef807e7ff856c857189ca59e0065a7e03a909aa0bef8619dab7d8b596d19ef31747f2eb5a312453c5f
-
SSDEEP
3072:1bIOHjY5SsWuQckHq8Z0Zfk5JxVSOgakkm7FZ+out:tHsQckK8KC53ATn+oS
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee65f785d4480376250b8fa48b573fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ee65f785d4480376250b8fa48b573fe_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW3⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\9ee65f785d4480376250b8fa48b573fe_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD54190846c5202983c636476eac5b979aa
SHA13bcac44ead53c96124f48f10ee1f1c6b568c0488
SHA25665c5c4e9908c5a3ddccbc2ed8073276e37bcfbcfe9aa25843e0789c5d88c7dfb
SHA512d9a621a13195b4958b01e6960b15ee765f811313818a88876a9369a8eccdcd7e66f60c28bd8010d86f1ee9b8109278ef7bba6be4a9a13927cd746b3777adc63b
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
16.0MB
-
Filesize
16.0MB