Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe
-
Size
26KB
-
MD5
b4f6d746ce496bb0352fa083b209e629
-
SHA1
709bde1685ffc834580fa19c4729b42f8fd77a7f
-
SHA256
dd496517c1db326ad4862c58fc183f52dcd6967e86a8810af47101ae6df3cfda
-
SHA512
a5e193476f7810734b0d164466dfbd65c4cf2a51ff77d65b193a7760bd6a3669f04bbf36b53731f362b6ad6ab5cee96c00b12b406d9ea0b7c5daf06224648120
-
SSDEEP
384:DZyrOAVI7cfceEAQ1uLsH7tns5NxTwnstZ0rlDPBdrhMIQ0crqBCDS5oqGAEjpe8:DZJAGc3EdQC5nST9ihBMfryC25oIOZQM
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2680 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 720 NTdhcp.exe -
Loads dropped DLL 2 IoCs
pid Process 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\NTdhcp.exe b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NTdhcp.exe b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NTdhcp.exe NTdhcp.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Deleteme.bat b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2032 wrote to memory of 720 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 30 PID 2032 wrote to memory of 720 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 30 PID 2032 wrote to memory of 720 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 30 PID 2032 wrote to memory of 720 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 30 PID 2032 wrote to memory of 2680 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 31 PID 2032 wrote to memory of 2680 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 31 PID 2032 wrote to memory of 2680 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 31 PID 2032 wrote to memory of 2680 2032 b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4f6d746ce496bb0352fa083b209e629_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\NTdhcp.exeC:\Windows\system32\NTdhcp.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:720
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Deleteme.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD52a66ccbbc1a1c72cb060bafa3f4a4c6c
SHA1461e55470fb07972551046b18960fd6267f55cb9
SHA256adf3c1f187ea76d25989aeb730b34762934f9f111c2d94d54cf2a87da255138c
SHA512fa1a8e2cbc55cc4fe369bd4bb2a16fe4503cd1545902dca1e515fe88ddcfea71d19cda281fb2dbb03d75e2ad5829943f47ed55c4c5392596bd289b5707fe6ddc
-
Filesize
26KB
MD5b4f6d746ce496bb0352fa083b209e629
SHA1709bde1685ffc834580fa19c4729b42f8fd77a7f
SHA256dd496517c1db326ad4862c58fc183f52dcd6967e86a8810af47101ae6df3cfda
SHA512a5e193476f7810734b0d164466dfbd65c4cf2a51ff77d65b193a7760bd6a3669f04bbf36b53731f362b6ad6ab5cee96c00b12b406d9ea0b7c5daf06224648120