Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-01-2025 03:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
-
Size
333KB
-
MD5
775098a7a37f647bfd8e1f939d8771df
-
SHA1
4c5147d5d16c3cd1d9b790f07d06084807cb14af
-
SHA256
c88f8c13f73d0ee32d0b3a83fce6a383e74234d2ae7fa58bae07cacf0946ff4a
-
SHA512
b34dea42013c8318b64075332d7a2f8b46f9609ffb759aa659ba2b9f1edc473940e973616ea2e406680920d2750718cc47ae8825a600e2b02505ba8932476b3d
-
SSDEEP
6144:4iEoiNcdTzZrcxrHHTMXcqEjSrKmwToZ5n:LPiKdTtrYDHTaFmBK
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 600 REG.exe 2280 REG.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2392 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 31 PID 1632 wrote to memory of 2392 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 31 PID 1632 wrote to memory of 2392 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 31 PID 1632 wrote to memory of 2392 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 31 PID 1632 wrote to memory of 264 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 32 PID 1632 wrote to memory of 264 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 32 PID 1632 wrote to memory of 264 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 32 PID 1632 wrote to memory of 264 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 32 PID 1632 wrote to memory of 600 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 33 PID 1632 wrote to memory of 600 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 33 PID 1632 wrote to memory of 600 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 33 PID 1632 wrote to memory of 600 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 33 PID 1632 wrote to memory of 2280 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 34 PID 1632 wrote to memory of 2280 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 34 PID 1632 wrote to memory of 2280 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 34 PID 1632 wrote to memory of 2280 1632 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe"1⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe2⤵PID:2392
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XoymS.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:264
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:600
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405B
MD53f15ac4f6dfba7f653788de5b9101ebc
SHA14ef9e50ba823249e50df563e5fdfaaf4e13ad041
SHA2563bde2f11a96ee13e4b2cf06f1728730d8163b71d011dc9beb1bf0d659220b37b
SHA5126ef0b58f301b76dff08c89c4af2fddc87689c0744ab59f81e0ad7294df1bd331ad400800cfbe21727527b3415f0a6b6be0cf54daa00368fd48e59d59859df8c0