Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
-
Size
240KB
-
MD5
4392a267463ca34065f7d7a946ce6361
-
SHA1
f0f35c157dba389858ec3fe3bf71769dc22f81c9
-
SHA256
d3a7b7b8400ecf781dcfccd1160783d198cc906e4b96906b9624d950b506b1fc
-
SHA512
863300a9cb3c05d0903fe461fed248168450b9c1c363d42a3d806bac42c776287d9f17d3dc5692dcfefdf476d7a66f2c4bc365ab59df190dec6d844f533e69a9
-
SSDEEP
3072:G+b8oarx9+/HQLvYKTFmpTZWuetGsGMzMv69D4WrzOSsvZzkuDj3mw2j7VqaSp66:G+crEHOYYmlIGbi9VrERLvYNqclm7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2812 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2408 Utility Mang.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Utility Mang.exe JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe File opened for modification C:\Windows\Utility Mang.exe JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe File created C:\Windows\Uer.bat JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Utility Mang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\System Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick Utility Mang.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2408 Utility Mang.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2664 2408 Utility Mang.exe 31 PID 2408 wrote to memory of 2664 2408 Utility Mang.exe 31 PID 2408 wrote to memory of 2664 2408 Utility Mang.exe 31 PID 2408 wrote to memory of 2664 2408 Utility Mang.exe 31 PID 2404 wrote to memory of 2812 2404 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 32 PID 2404 wrote to memory of 2812 2404 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 32 PID 2404 wrote to memory of 2812 2404 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 32 PID 2404 wrote to memory of 2812 2404 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Uer.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\Utility Mang.exe"C:\Windows\Utility Mang.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5b1cbe41d15542f7b30c4cd501f6d3f2c
SHA1bc9932c60d777fb68795433444f716494fc3e3dd
SHA25644abe5a681992bbc1a09c2a674df09cbed77e0493fef5db06d83731ba34f7341
SHA51208eab59b01b6bcb4417dfe77b4d54c617e9d7d6c12d27def70dc41659c6f20f7fed3f779cfeb130bb924515c4b2418568e7e1834ba34506f52e4bdff0fa73999
-
Filesize
240KB
MD54392a267463ca34065f7d7a946ce6361
SHA1f0f35c157dba389858ec3fe3bf71769dc22f81c9
SHA256d3a7b7b8400ecf781dcfccd1160783d198cc906e4b96906b9624d950b506b1fc
SHA512863300a9cb3c05d0903fe461fed248168450b9c1c363d42a3d806bac42c776287d9f17d3dc5692dcfefdf476d7a66f2c4bc365ab59df190dec6d844f533e69a9