Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe
-
Size
12KB
-
MD5
439042d2f601f4f8773a4afa76021030
-
SHA1
47fe097e8528c9fe85ea66798c1419bf50e0b65c
-
SHA256
db5394366ff0b2b21dbdec994201550dca9b5ae5a26c2e0bbe68e782e1642efd
-
SHA512
014157994b2b6bff4d6213989fea1e9066023748aa87c1d2d9a8d8b6cd811f69857040d055e0e16c892d75da94a2ee1f9ef67141c2444e2eb97499baa749336b
-
SSDEEP
384:WhSEfjg7jtGCN1lh92d5DUofVg0ShQdn3gkmaeP:WIEfjgnsd5DUa5dnQkdU
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2552 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 mscornet.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ldB97F.tmp mscornet.exe File created C:\Windows\SysWOW64\mscornet.exe JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscornet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2280 mscornet.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe Token: SeIncBasePriorityPrivilege 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe Token: SeDebugPrivilege 2280 mscornet.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2280 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 30 PID 2196 wrote to memory of 2280 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 30 PID 2196 wrote to memory of 2280 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 30 PID 2196 wrote to memory of 2280 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 30 PID 2196 wrote to memory of 2552 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 31 PID 2196 wrote to memory of 2552 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 31 PID 2196 wrote to memory of 2552 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 31 PID 2196 wrote to memory of 2552 2196 JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe 31 PID 2280 wrote to memory of 432 2280 mscornet.exe 5
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439042d2f601f4f8773a4afa76021030.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\mscornet.exe"C:\Windows\system32\mscornet.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5153a1b76ddc3423afa6eb057ba73e69b
SHA1c2b3990f8424b304b65873e450d3fb3d77c1a93f
SHA25638dad675433c146bf4bff7c32e9e5b0ac5376d24aa4ede6073d97374084e03b1
SHA512e86207fc4417980419f51a19e71a6624289c49273e8c67dc6a7c257c3d65272fd2657803d1471cb8a034a0eee59f652530e1af011a68a81c3140b60d9bcb171c