Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad
-
Size
134KB
-
MD5
40be6c33c12f3c41771f05ba4bc3bf11
-
SHA1
5f1e9609850cfd3b612bce88a80180e4f9317635
-
SHA256
e9b949eb86a4fcc2fc8dc6dcd233fa7bedb04e973763f2aa2f1d09da2eb421b9
-
SHA512
6945be3ae7faddf55cf35d52756e6ab97db1b8fc59b8ece8b4d9509adc8dfa18c8bcc3f2f8fc42e66ff7d5bfd028d92fc1ee65488fafff2e8f87e2437c402d74
-
SSDEEP
3072:O5z6n+RNkB5j1XF8jyVN0MU7t9CdkoesGfBNMgL:O5zVcfDN0M0kkoWTB
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2220 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2220 AcroRd32.exe 2220 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1420 2056 cmd.exe 31 PID 2056 wrote to memory of 1420 2056 cmd.exe 31 PID 2056 wrote to memory of 1420 2056 cmd.exe 31 PID 1420 wrote to memory of 2220 1420 rundll32.exe 33 PID 1420 wrote to memory of 2220 1420 rundll32.exe 33 PID 1420 wrote to memory of 2220 1420 rundll32.exe 33 PID 1420 wrote to memory of 2220 1420 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be6c33c12f3c41771f05ba4bc3bf11.jad"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e4c150e154fe403d81b97f2164dae93e
SHA11cb75b2cd41ab3cd7eb8130c7a7c30212dcb12af
SHA2565f9fb38eb6b727c3106e8bd6ef7c6a2ea23b24f3e0db1516b06c8267a809680a
SHA512d0ad7d06ee2658fe9a1d63d84365f540e55b698980aa1d581bae9b9659118f0d3d8ee34e61702ef1ac618d3dbb1ef8b24c9b850a07d818781cd298a9828273ea