Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 14:45

General

  • Target

    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe

  • Size

    2.7MB

  • MD5

    e7b51c1c6ef9061cd9b2bc34026573cd

  • SHA1

    230279d7b09d67cc8484522b277f0d8607b7a2ad

  • SHA256

    bc447572a77636cd923b3d6cb95300d370ba365b1eb32e9654779482e1f7c251

  • SHA512

    6552807db8a039cf2324695497ca37874c6b952214e9334f197eefc488a6c6488e89ee4ec66443a14525ed2c580bef1fcdcdac7ecd25f23252a7063bd1b4076f

  • SSDEEP

    49152:G7GlZ+4+HpYjyCQYYd+4eHWd/IsHVaTnKFhZX0PEUUm3lA8+Jejs71:G7qZ+hYjylYYd+5HW/116KF2EJm1APMw

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:1948

Network

  • flag-us
    DNS
    zipansion.com
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    172.67.144.180
    zipansion.com
    IN A
    104.21.73.114
  • flag-us
    GET
    http://zipansion.com/2pRLi
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    Remote address:
    172.67.144.180:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 08 Apr 2024 14:45:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=kbalrdluq4df7hfdgv55btqbln; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NSRCZhAsURlYK1NFNgbiLDeXsszmSX92jheZUAvGSaBxsNx9l8Z%2BNtkJkh7voEO7P1AZ0NcO4zfCjfXXFkJcogxC3u60OubVDqPoCxDit5wHOqUiph9eKPMzsO8aNvy5"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87130ae5e9cb414d-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    104.21.20.204
    yxeepsek.net
    IN A
    172.67.194.101
  • flag-us
    GET
    http://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    Remote address:
    104.21.20.204:80
    Request
    GET /-36721JXQO/2pRLi?rndad=3211120935-1712587541 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Mon, 08 Apr 2024 14:45:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=6urgo2paq3bi4tj2lc3r696ht3; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MsXVc8v7GTtUR1kzb3GsoSDqNs5n84EYIl2gh1OYINg9PjFTFPvWK5cmtCe7XvywTSPErDcXfaVcq2M3JxcxtR7KiaozAnJjzMIJ0DYwml0ckQdp%2BTh6alJJJZcI0xc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87130ae80ed94173-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    Remote address:
    104.21.20.204:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=6urgo2paq3bi4tj2lc3r696ht3
    Response
    HTTP/1.1 200 OK
    Date: Mon, 08 Apr 2024 14:45:42 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BoVLe9YJdPVlEMEp6O2zL4gGpuVKIOlVJHF1ngiJ1EZb4WNafxOT4j9cEwKHDz%2BgOaMLIQm2eVgqHqPVzTmsyfqJ75qQXQeSaHl9o0WusJco2IhyE7I7C3GH5CtE68%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 87130ae989774173-LHR
    alt-svc: h2=":443"; ma=60
  • 172.67.144.180:80
    http://zipansion.com/2pRLi
    http
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    443 B
    2.1kB
    6
    5

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 104.21.20.204:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    834 B
    3.2kB
    8
    8

    HTTP Request

    GET http://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    172.67.144.180
    104.21.73.114

  • 8.8.8.8:53
    yxeepsek.net
    dns
    e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    104.21.20.204
    172.67.194.101

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe

    Filesize

    2.7MB

    MD5

    743e70a9da8d6cd519fff87b13156dee

    SHA1

    3f5cc89734e8cad4343b46e070e804042b610459

    SHA256

    4ba3ea03380830b8dee456782c5a1306277d7aa7b7421bd8220c842514a3c0ae

    SHA512

    d9112a5e5c15d045cfca72993d49c406880c35694be5a504256cc1c7de655b4199eb35b710dff97faecca997283f24452ed0f765492d81666c8998a1a2b4af5b

  • memory/1948-17-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/1948-19-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/1948-21-0x0000000001A60000-0x0000000001B72000-memory.dmp

    Filesize

    1.1MB

  • memory/1948-27-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/2276-0-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/2276-1-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2276-2-0x0000000000130000-0x0000000000242000-memory.dmp

    Filesize

    1.1MB

  • memory/2276-16-0x0000000003820000-0x0000000003C8A000-memory.dmp

    Filesize

    4.4MB

  • memory/2276-14-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2276-26-0x0000000003820000-0x0000000003C8A000-memory.dmp

    Filesize

    4.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.