Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
submitted
29-03-2024 10:16
Behavioral task
behavioral1
Sample
1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe
-
Size
733KB
-
MD5
1f67cc3aee307cde9e5102d372f9b87e
-
SHA1
9add3dadb96e4c8048bb826e652f7e5f90f2a5c1
-
SHA256
8618bf549fe77b12325caeac35e24857145cba568d740c191a5850e2cc2c3960
-
SHA512
e2511fafd5a44bfb4a5d091cb1cd9a94aad8f02f39f248e273aeeae805007907c438ce6e7e12de38792d7366b16e4ca56173708497ff503b4190f52d10d2642d
-
SSDEEP
12288:8qzcpVgUXzL0TTUKZHTNloEkOpnKgofuIwV6eAj0wZxxXMcEe/3paPcgrX:8qzcpKIL0TvZzNlNky0wVW0wZxxVgrX
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4736 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 4736 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe Token: SeTcbPrivilege 4736 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4736 1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f67cc3aee307cde9e5102d372f9b87e_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4736
Network
-
Remote address:8.8.8.8:53Requestdeli.mywire.orgIN AResponsedeli.mywire.orgIN A46.196.24.72
-
Remote address:8.8.8.8:53Requestdeli.mywire.orgIN A
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.142.211.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request152.33.115.104.in-addr.arpaIN PTRResponse152.33.115.104.in-addr.arpaIN PTRa104-115-33-152deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request178.223.142.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdeli.mywire.orgIN AResponsedeli.mywire.orgIN A46.196.24.72
-
Remote address:8.8.8.8:53Request198.111.78.13.in-addr.arpaIN PTRResponse
-
260 B 120 B 5 3
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
122 B 77 B 2 1
DNS Request
deli.mywire.org
DNS Request
deli.mywire.org
DNS Response
46.196.24.72
-
284 B 145 B 4 1
DNS Request
97.17.167.52.in-addr.arpa
DNS Request
97.17.167.52.in-addr.arpa
DNS Request
97.17.167.52.in-addr.arpa
DNS Request
97.17.167.52.in-addr.arpa
-
213 B 116 B 3 1
DNS Request
0.204.248.87.in-addr.arpa
DNS Request
0.204.248.87.in-addr.arpa
DNS Request
0.204.248.87.in-addr.arpa
-
216 B 158 B 3 1
DNS Request
75.159.190.20.in-addr.arpa
DNS Request
75.159.190.20.in-addr.arpa
DNS Request
75.159.190.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
183.142.211.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
152.33.115.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
178.223.142.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
deli.mywire.org
DNS Response
46.196.24.72
-
72 B 146 B 1 1
DNS Request
198.111.78.13.in-addr.arpa