Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c28da44960497bceb166900a400237c.exe
Resource
win10v2004-20250619-en
General
-
Target
JaffaCakes118_1c28da44960497bceb166900a400237c.exe
-
Size
161KB
-
MD5
1c28da44960497bceb166900a400237c
-
SHA1
6c9e64a0db223e8bca449a2fcf3cd455e3c23e87
-
SHA256
0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
-
SHA512
c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213
-
SSDEEP
3072:fPX021/sYkfq0ypMCj+VcicXvZff3LJZBfgVdyJw0wjbg:fPkOJ0ypFiVcicpfLz64wL0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe -
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 2352 JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe 944 wi1v12.exe 6016 wi1v12mgr.exe 4892 wi1v12.exe -
Loads dropped DLL 2 IoCs
pid Process 2352 JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe 6016 wi1v12mgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" wi1v12.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File created C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\Desktop.ini JaffaCakes118_1c28da44960497bceb166900a400237c.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" JaffaCakes118_1c28da44960497bceb166900a400237c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" wi1v12.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2156 set thread context of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 944 set thread context of 4892 944 wi1v12.exe 89 -
resource yara_rule behavioral2/memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 6036 2352 WerFault.exe 78 3292 6016 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c28da44960497bceb166900a400237c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wi1v12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wi1v12mgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1792 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 1792 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 4892 wi1v12.exe 4892 wi1v12.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2352 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 78 PID 2156 wrote to memory of 2352 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 78 PID 2156 wrote to memory of 2352 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 78 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 2156 wrote to memory of 1792 2156 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 82 PID 1792 wrote to memory of 3316 1792 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 52 PID 1792 wrote to memory of 3316 1792 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 52 PID 1792 wrote to memory of 3316 1792 JaffaCakes118_1c28da44960497bceb166900a400237c.exe 52 PID 1340 wrote to memory of 944 1340 cmd.exe 85 PID 1340 wrote to memory of 944 1340 cmd.exe 85 PID 1340 wrote to memory of 944 1340 cmd.exe 85 PID 944 wrote to memory of 6016 944 wi1v12.exe 86 PID 944 wrote to memory of 6016 944 wi1v12.exe 86 PID 944 wrote to memory of 6016 944 wi1v12.exe 86 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 944 wrote to memory of 4892 944 wi1v12.exe 89 PID 4892 wrote to memory of 3316 4892 wi1v12.exe 52 PID 4892 wrote to memory of 3316 4892 wi1v12.exe 52 PID 4892 wrote to memory of 3316 4892 wi1v12.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 5084⤵
- Program crash
PID:6036
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exeC:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944 -
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exeC:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 5045⤵
- Program crash
PID:3292
-
-
-
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2352 -ip 23521⤵PID:3248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6016 -ip 60161⤵PID:4748
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD51c28da44960497bceb166900a400237c
SHA16c9e64a0db223e8bca449a2fcf3cd455e3c23e87
SHA2560dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
SHA512c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213
-
Filesize
106KB
MD5fe36fb1073e6f8fa14d7250501a29aaf
SHA16c7e01278362797dabcff3e666b68227cb9af10f
SHA256f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA5128584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f
-
Filesize
1.6MB
MD51cf5669feb127f89f57e8e9d9ac11409
SHA1d8aaccbbef08cde0161bfbc0f6b7b1e8a1c43d42
SHA25635f8d721f246ae3e19d204f9bcab3237448ed906a25bba14e7016e5cdd2fc2ce
SHA5127ebf6cc1a5a0d1ad89666af09bbdd947c02fcb933aeb72c8aff1a378582e38e5c816f806afe87038f10215c3c6c11e50f3226146ba3358e4d6005553cf373b08