Overview

overview

8

Static

static

3

JaffaCakes...b7.exe

windows7-x64

8

JaffaCakes...b7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2025 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_174e8b5b7c9b026c2042a57485f898b7.exe

  • Size

    545KB

  • MD5

    174e8b5b7c9b026c2042a57485f898b7

  • SHA1

    777c745a4cac5d0e8f36a55c65ff075b21c172ba

  • SHA256

    12e488be01c536228338c2ea8394f037abe120196da30532f1d206f7ac9c9448

  • SHA512

    4ccbcc3ac922a360785e5e6a9425840ad38f27cc2d179cf05085d20d03bfef86ec21c34427d493b1feeb5acbbd47d6d005794c96092977e78b3533cc48606457

  • SSDEEP

    12288:3x3e/gePRsOtY/JO2kgV/qjWs9yQsVSzUc:B3Iv7tY/Mbg6WslsVn

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174e8b5b7c9b026c2042a57485f898b7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174e8b5b7c9b026c2042a57485f898b7.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\PROGRA~3\wininit.exe
      C:\PROGRA~3\wininit.exe /a 1
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\System\winlogon.exe
        C:\Windows\System\winlogon.exe /a 2
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx
    Filesize

    10B

    MD5

    cdaa9113a06432eb4d00be7b30981af4

    SHA1

    009f16d845a7352c4451d1af6dd299b0e5d7cbf5

    SHA256

    b552b69138abbe8137594e563fe18b669acc3e29308de83bb877a33375111bfd

    SHA512

    26d940a825f5d9b3adbfc939a7a9c1968b7cfbaab212995d36a47179f618a4fba130ca29d65f21a78906cccbd71cc7bbe01625adde71f49324b81cd5b9c74bba

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe
    Filesize

    545KB

    MD5

    174e8b5b7c9b026c2042a57485f898b7

    SHA1

    777c745a4cac5d0e8f36a55c65ff075b21c172ba

    SHA256

    12e488be01c536228338c2ea8394f037abe120196da30532f1d206f7ac9c9448

    SHA512

    4ccbcc3ac922a360785e5e6a9425840ad38f27cc2d179cf05085d20d03bfef86ec21c34427d493b1feeb5acbbd47d6d005794c96092977e78b3533cc48606457

    Download Submit

  • \Windows\system\winlogon.exe
    Filesize

    545KB

    MD5

    c49e7430f9703a6c38b64286b1ff5c1f

    SHA1

    0c710e3fd2ab44d91b97ff9be76768b44fe033ea

    SHA256

    c7a13763bb284bed12b93d8e8f7e8b3b082871b4eb13244d982407794805042f

    SHA512

    3636311ee1c38c4e67e57c1fdb49d6026cc82395af5f63b84d7e674c2fa6a58cb9793ebea2df438f44fd7cc5116ca589bc05c630526a7aa6952e8a76b823b464

    Download Submit