Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe
-
Size
904KB
-
MD5
439491ed0b0f851a44db6c1fd5a2680c
-
SHA1
dbdaf8b9ef8de7c29a286ad439e8b03edf8a1973
-
SHA256
e3076feb6a742e78f15f9ee37f105f07742735b1bb21902247f66a6fc80ffa66
-
SHA512
93c6eca81efc090b7086c4015eece3c9652199cadd00d824db51317cb3747245f8959d92e67fc3860cd29f86a1a8b2fe737c837eb3825f12c01fb482d1770625
-
SSDEEP
24576:sLTylPo9Sr5Wy0cmL9TQ/PsKJ/uExDkW7YFP:ETQPprE3BToj/
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2964 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 38874838.exe -
Loads dropped DLL 5 IoCs
pid Process 3032 cmd.exe 3032 cmd.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\38874838 = "C:\\ProgramData\\38874838\\38874838.exe" JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\38874838 = "C:\\PROGRA~3\\38874838\\38874838.exe" 38874838.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38874838.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 38874838.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe 2684 38874838.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2964 2952 JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe 30 PID 2952 wrote to memory of 2964 2952 JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe 30 PID 2952 wrote to memory of 2964 2952 JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe 30 PID 2952 wrote to memory of 2964 2952 JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe 30 PID 2964 wrote to memory of 3032 2964 cmd.exe 32 PID 2964 wrote to memory of 3032 2964 cmd.exe 32 PID 2964 wrote to memory of 3032 2964 cmd.exe 32 PID 2964 wrote to memory of 3032 2964 cmd.exe 32 PID 3032 wrote to memory of 2684 3032 cmd.exe 33 PID 3032 wrote to memory of 2684 3032 cmd.exe 33 PID 3032 wrote to memory of 2684 3032 cmd.exe 33 PID 3032 wrote to memory of 2684 3032 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\38874838\38874838.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\PROGRA~3\38874838\38874838.exe /i3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\PROGRA~3\38874838\38874838.exeC:\PROGRA~3\38874838\38874838.exe /i4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD51f77f141a107c362847b7bac9b527b22
SHA1e918a7f0710880d2ca1986b9538d49d35fa8f36b
SHA256f3415b5d3ad8d5697d79609aa3c7786ab439a94700304be53a39feb1b3d304b8
SHA5126f1919c83b76d11665fa3ecc40e15dba179b2185af4dda63af85514bc31627bbb609aa46907bce39712088e71b9fe92d5bd639a4bf37cc1919a5a617ecf0efff
-
Filesize
904KB
MD5439491ed0b0f851a44db6c1fd5a2680c
SHA1dbdaf8b9ef8de7c29a286ad439e8b03edf8a1973
SHA256e3076feb6a742e78f15f9ee37f105f07742735b1bb21902247f66a6fc80ffa66
SHA51293c6eca81efc090b7086c4015eece3c9652199cadd00d824db51317cb3747245f8959d92e67fc3860cd29f86a1a8b2fe737c837eb3825f12c01fb482d1770625