Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe
-
Size
699KB
-
MD5
d69477dcdd44d6f9d0102329894a9d9c
-
SHA1
123ee34e12767a0a5fbbf132a32321cdf3dbbae0
-
SHA256
ef9ec4742f12bf579efb7d36c3d645fba6d67b91272ee5b34952c25184f0afd6
-
SHA512
5b92c34293bdbad140450ed4732710ab9b5a4d25f45034f8a754cfb0bd55d7b24059c46cc8465786283a5124b88cc154d0840205023119271334dc0058a0781f
-
SSDEEP
12288:q/ezny90hw8BFyqXTS1jMeo5DKI4EZNYbaDY9wL:lnyww8BFyqjSMb4aNnMW
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1492 jk27ca.exe 3712 BOOSTH~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jk27ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BOOSTH~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1492 jk27ca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5040 wrote to memory of 1492 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 82 PID 5040 wrote to memory of 1492 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 82 PID 5040 wrote to memory of 1492 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 82 PID 1492 wrote to memory of 3580 1492 jk27ca.exe 83 PID 1492 wrote to memory of 3580 1492 jk27ca.exe 83 PID 1492 wrote to memory of 3580 1492 jk27ca.exe 83 PID 1492 wrote to memory of 3444 1492 jk27ca.exe 84 PID 1492 wrote to memory of 3444 1492 jk27ca.exe 84 PID 1492 wrote to memory of 3444 1492 jk27ca.exe 84 PID 5040 wrote to memory of 3712 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 85 PID 5040 wrote to memory of 3712 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 85 PID 5040 wrote to memory of 3712 5040 d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exejk27ca.exe3⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk27ca.exejk27ca.exe3⤵PID:3444
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTH~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
467KB
MD50715c843b7a3251e30b1032441b72a16
SHA18200877a5671f14accec609d62f5a481b8dec598
SHA25624db9327aa259fb2b7ce9bde4a56c1abc7ca545637b1b9bd117221943957a311
SHA512e681dbbcfd7516860deb685eb2d368f431aa2ecddd078e1350dd06b6d808cf15041e7307d1f5ea520770b0489fd6105979d2266f27adb7ad58cdde6ef832d271
-
Filesize
197KB
MD529e01606b4f35126333767f1fd7712fe
SHA125699a15402be8674f6a04592e51c3a1bffd2805
SHA25605129e5a49b13ec8e8f0098c927fbaf8b8b19a38e65aef20773d56f2c734833f
SHA512dfd3eca7cdfe7b97d12882e192ad85a57da938a5761a44d07aa85b386a0a4b20655c823341cb82b78585f1996ca3be9d8c7843e4a3fc9c132b1f56992ba1a405