Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
-
Size
14.1MB
-
MD5
4375ccd5831118c67cc584ac6cddb136
-
SHA1
26996c83d47e2cf855b9149d18b41a1708ba1f6c
-
SHA256
648cd5aa61222565eb922abfdb582f276601fb5515594a2e0a8a81f670e62346
-
SHA512
328484cb3bbe1e5d53a73787cc3a61b9da0085f887054a644295cba1e7c0fda27e549702790dfdcc0a597ed448c3f6b745f9ebf947af998ad2f350f7daf1e03a
-
SSDEEP
393216:SvPqHYSCl2aHo6I8XtAZmFAp3QhG+K14lr:ADSCl2sDIkA9H+e4x
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000600000001926b-57.dat acprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate setup.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 setup.exe 2604 ~EFEC.tmp -
Loads dropped DLL 13 IoCs
pid Process 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 1960 setup.exe 2756 cmd.exe 2756 cmd.exe 1960 setup.exe 1960 setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nstF01D.tmp setup.exe -
resource yara_rule behavioral1/memory/1960-48-0x0000000003D50000-0x0000000003E82000-memory.dmp upx behavioral1/memory/1960-59-0x0000000003D50000-0x0000000003E82000-memory.dmp upx behavioral1/files/0x000600000001926b-57.dat upx behavioral1/files/0x000800000001930d-69.dat upx behavioral1/memory/2604-72-0x0000000000400000-0x000000000059B000-memory.dmp upx behavioral1/memory/2604-99-0x0000000000400000-0x000000000059B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~EFEC.tmp -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo\ = "{00020803-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1960 setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1960 setup.exe Token: SeIncBasePriorityPrivilege 1960 setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 2204 wrote to memory of 1960 2204 JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe 31 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 1960 wrote to memory of 2756 1960 setup.exe 32 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34 PID 2756 wrote to memory of 2604 2756 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\~EFED.cmd3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\~EFEC.tmpC:\Users\Admin\AppData\Local\Temp\~EFEC.tmp checknewversion 27012550183fa /B4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
813B
MD5897dd2da994474958eb68073ea1004ee
SHA1c20164256d02c0e96e5a54d7c6774046def626fa
SHA2561efa1168b2a396772006f7ccd6b1833862c137055567174e049749c72e408334
SHA512074af5cde982bc044c967ebfc07594365d70c222e4bc582a65cb2e5cc804df2fdb5058dfe296e250abcad1a2ea5ba6bcdc6e20849bb4f7f7ff2973f0357602b3
-
Filesize
267B
MD5f23d7dba35e84b4f45a4098c6275118c
SHA13cadc6cdf93b166d3a8196e6ebd633b19ea900c4
SHA256ed6611e14f7a5e7bba8a47488ff6c8725fd6da7fb2ecac9e1b753a18ad73da60
SHA51292d96168aaae8aded2571db771338b663d9e9116adcffa99d85951cb8c64946eaa8f431d6bdb04d0fc9b166b9c74e9319ea12d77f790344cc4e754eedf61c370
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
447KB
MD503d7001fd3a1c48bd61e7da9928cd36d
SHA15c8418aa6259469bd0b36f3ab3dc5ef3f901dfa9
SHA256d3965b42b5256a9ee000034ebaee39c7972510dc203ddacd6301bc776c4ae4a7
SHA512dfc944d9683151a4ad31b3b5fbe231354c5194d3a0f1bcd12a71da82269a9810fc91346ef2a3770813d79b66851e757c4647baebee5eb69f7c9b829e82669c12
-
Filesize
7.6MB
MD52e402be8220c5142fd1db6ac3221bdb2
SHA1823f4938545750c5315d8680a3486062a32e8225
SHA256397cb7c5f9633c95da1876e08764fa586dd38348386509029e1a128c2c661996
SHA5120a2b61f7da610ae4f9420f11884aadc6c97d7bfe46c306a06ecc038fec28ca2143296de2ec788dafdcfd2e208b21b229e037d61cba4f63fb8e350414abfa67b7
-
Filesize
147KB
MD5345171d2a2660b7cd4b8cdd978eda569
SHA1516276cfe91c90458cc0f98a09cfaa841494d702
SHA256c0b239bb834ad52cd1eb5f50d9cef83682e05f7d3fd3c3f5a1c8f106eadcb70b
SHA51275e372de5494e487cfe57ae98c71576b18309e4b9e6988609c541c67a5ad91ea034ffba61fa281ed530cc60d07a163a5defd731f748164913e77f42ff77d3118
-
Filesize
1.1MB
MD5c3fb03ae11e469074820d70ed8ab17eb
SHA17bf4db632861dab3253e24d1992c1986be89ac41
SHA2563802a2b5ea0279094090457e7926b3e0fcdabec974dc918a7d6cd2c1baa33aa6
SHA5129ae1ba3b3bd8c50b236d277889955359cb2de1f9fb48f709793df9e9e99fc338271eafedd4a0b06da36aea8e4ddf817ded33e75dc6665ba008c284e3cf03ce26