Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe
-
Size
19.3MB
-
MD5
1de06b5e12c970e8541adf5fe65b0097
-
SHA1
44457eac460c24e0ca2c0252ee2d2eefc8727af9
-
SHA256
02f8a34310c1e29f05e95be43338bb7bc0cdceae47462a10a3801ed2eab93d27
-
SHA512
9eb3d5e1fb77edd70360d1f51cfcf793206bfbe458391ad577f52e85266fec15acaae82d818c1d26f1845ec99ceba22495576fe6d480a5fbd4281c9bccc30171
-
SSDEEP
49152:rtqD5h7V9LYGvZ2wSKhZpPam66qK7YrI3rc1jduXEsu:rtSh7V9sVMpPam66tEMI
Malware Config
Extracted
cobaltstrike
http://apt.freelinuxupdate.tk:2053/bootstrap-2.min.js
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 3 IoCs
Processes:
go-memexec-562350551.exego-memexec-870809735.exego-memexec-016121755.exepid process 3452 go-memexec-562350551.exe 3572 go-memexec-870809735.exe 5060 go-memexec-016121755.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exego-memexec-562350551.exego-memexec-870809735.exedescription pid process target process PID 1632 wrote to memory of 3452 1632 1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe go-memexec-562350551.exe PID 1632 wrote to memory of 3452 1632 1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe go-memexec-562350551.exe PID 1632 wrote to memory of 3452 1632 1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe go-memexec-562350551.exe PID 3452 wrote to memory of 3572 3452 go-memexec-562350551.exe go-memexec-870809735.exe PID 3452 wrote to memory of 3572 3452 go-memexec-562350551.exe go-memexec-870809735.exe PID 3572 wrote to memory of 5060 3572 go-memexec-870809735.exe go-memexec-016121755.exe PID 3572 wrote to memory of 5060 3572 go-memexec-870809735.exe go-memexec-016121755.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exeFilesize
328KB
MD558336a3811207c8d3f57709317b172e9
SHA1221f507292989dbd52c3a26df4d3fb9f1d80af7a
SHA256a3afb74b961f0b9b6e484166d61b92eb8ab2a41f0a88cc11f02c6b316ebee74f
SHA51299b0ccc043f20339d82bcdd5634dfa4ea863fb466121c67c663c12247d1f442cc0868b4cdd06aba64e3684015aa364af9d2ffc8567f14b585efa79d97cd43b80
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exeFilesize
8.5MB
MD5786ec6298fecaf3917d8cdd971e4ca6c
SHA16a97ab8f62dd82e3f7a90d569dd938e83f7a9039
SHA2567689d79518ea5d74a374c882fcd3c85624c026c858319a3403cf513cc0013705
SHA512ba3c772bc3cc062a878b5dfa141fae18cb574420ce4a9a9f9d0d4188ae3ede4aa2caa3229073acbbcdc5b9aab4b4790c873f4a1c01477cd86c04b382a35dc322
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exeFilesize
3.2MB
MD51e1735bff2d3c91b471c36ea563014b8
SHA15eb30dfa2fdc41d34c0a52da384aa531331c6343
SHA25684c8bb6a84391404ae1ab0dc9760d87a35253bb4638b20156eb3dc1aeccb8e99
SHA512964251a36457435095fea7b674d2eb30ea6fcb9ef66fa1ccfa6dc884beac6d577fdd26b0d45e2855d3ab77707db4d9b39410749fd61b395cf71a30c35d5cfaf5
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
8.5MB
MD5b624e5dc1f9b132fc5304634ccf683f4
SHA13f540b1284cd4cd2efac7fcc145ba16950499481
SHA2565f77ad6e4d3e83d7875ee3895c7ce4860a01a7e99928a4e2e19e7adcbae25862
SHA512b99ec80e1f328445f4bd632b0e9e052567d31cf1dc81bb248a72076f6f26df664021ab8111fe6025b313a810bbde1672a3e94d0472fc60f172b24da2246fa05b
-
memory/5060-11-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/5060-12-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB