Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 03:21

General

  • Target

    JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe

  • Size

    333KB

  • MD5

    775098a7a37f647bfd8e1f939d8771df

  • SHA1

    4c5147d5d16c3cd1d9b790f07d06084807cb14af

  • SHA256

    c88f8c13f73d0ee32d0b3a83fce6a383e74234d2ae7fa58bae07cacf0946ff4a

  • SHA512

    b34dea42013c8318b64075332d7a2f8b46f9609ffb759aa659ba2b9f1edc473940e973616ea2e406680920d2750718cc47ae8825a600e2b02505ba8932476b3d

  • SSDEEP

    6144:4iEoiNcdTzZrcxrHHTMXcqEjSrKmwToZ5n:LPiKdTtrYDHTaFmBK

Score
8/10

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe"
    1⤵
    • Disables RegEdit via registry modification
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
      2⤵
        PID:2392
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XoymS.vbs"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:264
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:600
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\XoymS.vbs

      Filesize

      405B

      MD5

      3f15ac4f6dfba7f653788de5b9101ebc

      SHA1

      4ef9e50ba823249e50df563e5fdfaaf4e13ad041

      SHA256

      3bde2f11a96ee13e4b2cf06f1728730d8163b71d011dc9beb1bf0d659220b37b

      SHA512

      6ef0b58f301b76dff08c89c4af2fddc87689c0744ab59f81e0ad7294df1bd331ad400800cfbe21727527b3415f0a6b6be0cf54daa00368fd48e59d59859df8c0

    • memory/1632-0-0x0000000074D31000-0x0000000074D32000-memory.dmp

      Filesize

      4KB

    • memory/1632-1-0x0000000074D30000-0x00000000752DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1632-2-0x0000000074D30000-0x00000000752DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1632-3-0x0000000074D30000-0x00000000752DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1632-4-0x0000000074D30000-0x00000000752DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1632-10-0x0000000074D30000-0x00000000752DB000-memory.dmp

      Filesize

      5.7MB