Analysis
-
max time kernel
103s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c28da44960497bceb166900a400237c.exe
Resource
win10v2004-20250619-en
General
-
Target
JaffaCakes118_1c28da44960497bceb166900a400237c.exe
-
Size
161KB
-
MD5
1c28da44960497bceb166900a400237c
-
SHA1
6c9e64a0db223e8bca449a2fcf3cd455e3c23e87
-
SHA256
0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
-
SHA512
c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213
-
SSDEEP
3072:fPX021/sYkfq0ypMCj+VcicXvZff3LJZBfgVdyJw0wjbg:fPkOJ0ypFiVcicpfLz64wL0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe -
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 2916 JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe 6140 wi1v12.exe 3204 wi1v12mgr.exe 4864 wi1v12.exe -
Loads dropped DLL 2 IoCs
pid Process 2916 JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe 3204 wi1v12mgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" wi1v12.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File created C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\Desktop.ini JaffaCakes118_1c28da44960497bceb166900a400237c.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" wi1v12.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4964 set thread context of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 6140 set thread context of 4864 6140 wi1v12.exe 102 -
resource yara_rule behavioral1/memory/2916-11-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 1888 2916 WerFault.exe 86 6044 3204 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c28da44960497bceb166900a400237c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wi1v12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wi1v12mgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4752 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 4752 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 4864 wi1v12.exe 4864 wi1v12.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4964 wrote to memory of 2916 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 86 PID 4964 wrote to memory of 2916 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 86 PID 4964 wrote to memory of 2916 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 86 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4964 wrote to memory of 4752 4964 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 93 PID 4752 wrote to memory of 3520 4752 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 56 PID 4752 wrote to memory of 3520 4752 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 56 PID 4752 wrote to memory of 3520 4752 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 56 PID 4924 wrote to memory of 6140 4924 cmd.exe 96 PID 4924 wrote to memory of 6140 4924 cmd.exe 96 PID 4924 wrote to memory of 6140 4924 cmd.exe 96 PID 6140 wrote to memory of 3204 6140 wi1v12.exe 97 PID 6140 wrote to memory of 3204 6140 wi1v12.exe 97 PID 6140 wrote to memory of 3204 6140 wi1v12.exe 97 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 6140 wrote to memory of 4864 6140 wi1v12.exe 102 PID 4864 wrote to memory of 3520 4864 wi1v12.exe 56 PID 4864 wrote to memory of 3520 4864 wi1v12.exe 56 PID 4864 wrote to memory of 3520 4864 wi1v12.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 4804⤵
- Program crash
PID:1888
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exeC:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exeC:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 5405⤵
- Program crash
PID:6044
-
-
-
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2916 -ip 29161⤵PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3204 -ip 32041⤵PID:3292
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD51c28da44960497bceb166900a400237c
SHA16c9e64a0db223e8bca449a2fcf3cd455e3c23e87
SHA2560dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
SHA512c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213
-
Filesize
106KB
MD5fe36fb1073e6f8fa14d7250501a29aaf
SHA16c7e01278362797dabcff3e666b68227cb9af10f
SHA256f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA5128584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219