Analysis
-
max time kernel
1799s -
max time network
1798s -
platform
windows11-21h2_x64 -
resource
win11-20241007-es -
resource tags
arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
16-12-2024 12:25
General
-
Target
f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe
-
Size
28KB
-
MD5
f24516e2e02ab686e09717a81c107361
-
SHA1
381f0ebaaf5e6680003d3c2faff66435e75e70fa
-
SHA256
c425e7ac539d1829382242ccc5201c520cda3d3f219bd80241c5ddc5b355733e
-
SHA512
0e36547ba20883ffcf6475a54cda201190488701c248786e0691ca628952f8620a57fe859c900cb0d139777f0005e644b04f633d9dcee0bcc1821514bfdcb24b
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNrpjaCNgw:Dv8IRRdsxq1DjJcqf0jaK
Malware Config
Signatures
-
Detects MyDoom family 27 IoCs
resource yara_rule behavioral1/memory/1792-13-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-37-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-39-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-44-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-49-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-56-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-63-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-86-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-91-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-93-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-98-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-103-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-105-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-118-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-123-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-125-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-130-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-135-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-137-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-142-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-147-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-149-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-154-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-159-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-161-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-166-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1792-631-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 2792 services.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1792-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x002000000002ab12-4.dat upx behavioral1/memory/2792-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-37-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-39-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-44-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-49-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-56-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-57-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2792-62-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-63-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-64-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0006000000025acf-69.dat upx behavioral1/memory/1792-86-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-87-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-91-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-92-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-93-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-94-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-98-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-99-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-103-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-104-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-105-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-106-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-118-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-119-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-123-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-124-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-125-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-126-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-130-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-131-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-135-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-136-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-137-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-138-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-142-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-143-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-147-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-148-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-149-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-150-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-154-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-155-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-159-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-160-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-161-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-162-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-166-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2792-167-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1792-631-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe File opened for modification C:\Windows\java.exe f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe File created C:\Windows\java.exe f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 49148 1792 WerFault.exe 76 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2792 1792 f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe 77 PID 1792 wrote to memory of 2792 1792 f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe 77 PID 1792 wrote to memory of 2792 1792 f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 482802⤵
- Program crash
PID:49148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 17921⤵PID:49116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a2409d4cd6ef439d1dc6002649ddc879
SHA1b1881e66a1131be57187bd2efb9b8ec3cceeb149
SHA256e42d0dbd5b4655f6e16916a0148e20f205f82ffea3acb8ea8230f641adc943cb
SHA5124dafaf31df9b64714976b352a996e4ec55da17b22958951e9e83448b2d63ac999d9984a5bc3954758cde21557e4ae42473aa8c63335f595d65899b37f8aaaf6b
-
Filesize
28KB
MD592ff616219344826991c9c951ca595f5
SHA1f0210df4c65951f3c4b97254bf5f471f3b5eb148
SHA25626ac8be31655c9cb70f89559b6171e41ef01b33eeebbeea5d789323839a51883
SHA512b8612c0d18bb96bfa890116785c2b37febd1d03b89e760bdde7d31f64cd370f7314c2646826bb1ca63f8d30e902d3aadcccbffdc5a2f2b8973f7bbf3df531da5
-
Filesize
1KB
MD5fa7ff1a60fd034cd505c43080ed7562d
SHA1a633c83c93b972812e0a7442614c82e8b40fc908
SHA256bdb50ae327bc4deb8c4c4c9c688f3cd6a4a192f2ecfa93ba916d4d7f3b0ad109
SHA5129d1d21376c04f7f41f0d321e6cc1d683850ec07dc0c6f93957e8442711ae87deaa85b5f4c002bb8614e1a0c7924192682a464e23c40a6cf88dfe2f743ac75190
-
Filesize
1KB
MD587da510e04ce10ef77904e34b3997cd4
SHA191cc6ed840d630144d7e5f281efa63dda9db10e3
SHA256d0a41a4ffb3eadad9d8c4e762fd5398ceb5b42b5ba42c6a6680e243532d1d141
SHA512c10f8818ef242c557314ee8cd7428cb5b8edc01b50ca4cc765134e5c008be5528732f64503518cfa660bcf35ce64cb316432f34c0cf3decd0a82cdda2a0b9e46
-
Filesize
1KB
MD5c2ff861887b71e66a4ca8ef24175dd2a
SHA10ca2b9d502d3ac36466593d305c950d5c6841235
SHA25642898faae8f0b05d1de5999673b85a91b9747eace2437d0b2555ca39a18443d2
SHA5120aebcd9b1ec40f63788b6a383306f75b8318efd155cbd46bc65719a30f16f1600b27e54b011ce34ab383897991ad1e6a0478e1825196720cc113ba03f2249f07
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2