Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 14:45
Behavioral task
behavioral1
Sample
e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe
-
Size
2.7MB
-
MD5
e7b51c1c6ef9061cd9b2bc34026573cd
-
SHA1
230279d7b09d67cc8484522b277f0d8607b7a2ad
-
SHA256
bc447572a77636cd923b3d6cb95300d370ba365b1eb32e9654779482e1f7c251
-
SHA512
6552807db8a039cf2324695497ca37874c6b952214e9334f197eefc488a6c6488e89ee4ec66443a14525ed2c580bef1fcdcdac7ecd25f23252a7063bd1b4076f
-
SSDEEP
49152:G7GlZ+4+HpYjyCQYYd+4eHWd/IsHVaTnKFhZX0PEUUm3lA8+Jejs71:G7qZ+hYjylYYd+5HW/116KF2EJm1APMw
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1948 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1948 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2276-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x000c000000012331-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe 1948 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1948 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1948 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1948 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1948 2276 e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1948
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A172.67.144.180zipansion.comIN A104.21.73.114
-
Remote address:172.67.144.180:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=kbalrdluq4df7hfdgv55btqbln; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NSRCZhAsURlYK1NFNgbiLDeXsszmSX92jheZUAvGSaBxsNx9l8Z%2BNtkJkh7voEO7P1AZ0NcO4zfCjfXXFkJcogxC3u60OubVDqPoCxDit5wHOqUiph9eKPMzsO8aNvy5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87130ae5e9cb414d-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A104.21.20.204yxeepsek.netIN A172.67.194.101
-
GEThttp://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541e7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exeRemote address:104.21.20.204:80RequestGET /-36721JXQO/2pRLi?rndad=3211120935-1712587541 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=6urgo2paq3bi4tj2lc3r696ht3; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MsXVc8v7GTtUR1kzb3GsoSDqNs5n84EYIl2gh1OYINg9PjFTFPvWK5cmtCe7XvywTSPErDcXfaVcq2M3JxcxtR7KiaozAnJjzMIJ0DYwml0ckQdp%2BTh6alJJJZcI0xc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87130ae80ed94173-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:104.21.20.204:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=6urgo2paq3bi4tj2lc3r696ht3
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BoVLe9YJdPVlEMEp6O2zL4gGpuVKIOlVJHF1ngiJ1EZb4WNafxOT4j9cEwKHDz%2BgOaMLIQm2eVgqHqPVzTmsyfqJ75qQXQeSaHl9o0WusJco2IhyE7I7C3GH5CtE68%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87130ae989774173-LHR
alt-svc: h2=":443"; ma=60
-
172.67.144.180:80http://zipansion.com/2pRLihttpe7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe443 B 2.1kB 6 5
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
104.21.20.204:80http://yxeepsek.net/suspended?a=3&u=20186239httpe7b51c1c6ef9061cd9b2bc34026573cd_JaffaCakes118.exe834 B 3.2kB 8 8
HTTP Request
GET http://yxeepsek.net/-36721JXQO/2pRLi?rndad=3211120935-1712587541HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
59 B 91 B 1 1
DNS Request
zipansion.com
DNS Response
172.67.144.180104.21.73.114
-
58 B 90 B 1 1
DNS Request
yxeepsek.net
DNS Response
104.21.20.204172.67.194.101
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5743e70a9da8d6cd519fff87b13156dee
SHA13f5cc89734e8cad4343b46e070e804042b610459
SHA2564ba3ea03380830b8dee456782c5a1306277d7aa7b7421bd8220c842514a3c0ae
SHA512d9112a5e5c15d045cfca72993d49c406880c35694be5a504256cc1c7de655b4199eb35b710dff97faecca997283f24452ed0f765492d81666c8998a1a2b4af5b