Analysis
-
max time kernel
145s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
28/03/2025, 19:22
General
-
Target
JaffaCakes118_8af1cb2cc60741dbac95ed339a403bcc.exe
-
Size
644KB
-
MD5
8af1cb2cc60741dbac95ed339a403bcc
-
SHA1
82ea9ea3eeb7428d3ae47dd2e505070364589f75
-
SHA256
840fb5ee19fc8d0ce9ac390ee71a3ee53cfcff5b3978d56c06c2ac981ec414e3
-
SHA512
8d27134dceb3d9378422caf695cf0ca814cd65bb334d51a96a271a2b79285639e3be6866896337b6e139b9353016cf0f6955289ae28679a5573516bb618f12fc
-
SSDEEP
6144:T82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbY6ilV:Hp4pNfz3ymJnJ8QCFkxCaQTOllyu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8af1cb2cc60741dbac95ed339a403bcc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8af1cb2cc60741dbac95ed339a403bcc.exe"2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
645KB
MD5385551c497f478a6d3bb4c4e36367e8f
SHA12588036bfcad4a8e27535ac27361d50c9bc353ad
SHA2563de056316d101b44593a2d21c7162089cf7df1aa17d7017b8c38295e3e974285
SHA512c4ef0f39917440690813d40725dbc88ebc7c83854f5edf58b6945efa30f4a6e28f4de9ccef5e93bbd06c54a1f18df9e92f71d05b8f1b6b25946fe4a6690698c9
-
Filesize
1KB
MD5de657198062a1eb0fe28d8ee399e7786
SHA10b1497610c1f7bfb5d14058f70343e15442f9414
SHA25633c5d1c47587f992c68a9c6395195d4ad663250d83f4dcb2b04a2a5ca2d5f668
SHA512c68c3f1df258fc024fac4af0b4f320025a55b953119dd7fa6549806c84cc45d81b51980944c1a9a69ccc526da4b10dde725601e7f6709f3c9bacf00f75d7dd27
-
Filesize
645KB
MD538a22022e8873f394924f5d294e57a6a
SHA19c49a9596f494dc11940df83e0d54cc6b132aed3
SHA256aea252005ca9c400e6392c45af26ad6ec433b0c7324b74083119c7cbaf40c3c4
SHA512800af3acf8ee079043a1bb1a2ff300b9af474ad10fd3940112548e0a20f269579d49cfd8698ee6a24361cb3eb5ad176db5fa164f35d48d10b3743c76122604e1
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
508KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
508KB
-
Filesize
4KB