Analysis
-
max time kernel
143s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
-
Size
64KB
-
MD5
40bf354a2f5f69e307f9498660a7275c
-
SHA1
8b43bf482c7f589d55c12d1066da4f193aeb7bbb
-
SHA256
4fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f
-
SHA512
71c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a
-
SSDEEP
768:+wBVHpKTX6O91dbxSFhLfQmETEfax+T1i5JmuKFBXegYBn2RTijAvjx:+U4N91dbxCdomEToT1Z1e9AcI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1376 WinDefender.exe 2240 WinDefender.exe -
Loads dropped DLL 3 IoCs
pid Process 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 1376 WinDefender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.exe" JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.exe" JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1756 set thread context of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1376 set thread context of 2240 1376 WinDefender.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDefender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 1376 WinDefender.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1756 wrote to memory of 1080 1756 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 29 PID 1080 wrote to memory of 1376 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 30 PID 1080 wrote to memory of 1376 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 30 PID 1080 wrote to memory of 1376 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 30 PID 1080 wrote to memory of 1376 1080 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 30 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31 PID 1376 wrote to memory of 2240 1376 WinDefender.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"4⤵
- Executes dropped EXE
PID:2240
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD540bf354a2f5f69e307f9498660a7275c
SHA18b43bf482c7f589d55c12d1066da4f193aeb7bbb
SHA2564fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f
SHA51271c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a