Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/04/2024, 13:18 UTC
General
-
Target
eb285444be3235c85169464520f3b908_JaffaCakes118.exe
-
Size
266KB
-
MD5
eb285444be3235c85169464520f3b908
-
SHA1
7e28216012d4aed258962d98905c347fa9a0138b
-
SHA256
087904265aff5c1144e15d47f3a443c93ceaf05bb7c9f1f244bffc9084d3c91d
-
SHA512
d5477ad797033a64363e14d85cece32103702be4a0c55e12f312f9c9d69d7e5ac697d11d468ae660ba9beeb359800597b1fa313054aed58954eac2f82cf19dee
-
SSDEEP
6144:DF+c7dA/O74U7YURI2EhdJnHBGxUxghG7wxWm8miyZHrUqaQ:DF+G2yV7bq24gquUwIuiyZHoqP
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb285444be3235c85169464520f3b908_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb285444be3235c85169464520f3b908_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eb285444be3235c85169464520f3b908_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eb285444be3235c85169464520f3b908_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
-
Network
-
DNScutit.orgRemote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248 -
DNSww1.cutit.orgRemote address:8.8.8.8:53Requestww1.cutit.orgIN AResponseww1.cutit.orgIN CNAMEsedoparking.comsedoparking.comIN A64.190.63.136
-
GEThttp://ww1.cutit.org/oxgBR?usid=25&utid=6411416439Remote address:64.190.63.136:80RequestGET /oxgBR?usid=25&utid=6411416439 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww1.cutit.org
ResponseHTTP/1.1 439
date: Wed, 10 Apr 2024 13:18:58 GMT
content-length: 0
server: NginX
-
DNSq.gsRemote address:8.8.8.8:53Requestq.gsIN AResponseq.gsIN A172.67.193.84q.gsIN A104.21.84.133
-
GEThttp://q.gs/EVnYCRemote address:172.67.193.84:80RequestGET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: q.gs
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 10 Apr 2024 13:18:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=fvteio2q4q67fq0g9vohsh22ld; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-20ERKW/EVnYC?rndad=3211120935-1712755139
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZR%2BmZbEUyfxtlRudT3CTD8QcIeR5y%2B2e%2Bh42AgX9dFT%2BXpaGh6SmUgwIsDjWyl3AHAXkQjb%2BlyWYWNjGpUGqMDmQ1hnAzgA763AGTcbEEzmBIhU7Rz4W"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 872306a1eb0623bf-LHR
alt-svc: h2=":443"; ma=60
-
DNSyxeepsek.netRemote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-20ERKW/EVnYC?rndad=3211120935-1712755139Remote address:172.67.194.101:80RequestGET /-20ERKW/EVnYC?rndad=3211120935-1712755139 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Date: Wed, 10 Apr 2024 13:18:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=oqc7adv0fg00kck2vcuof3dt2a; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=92d5tCKNHzZkGEbmnLYKvDPatLKNuWOohzjB%2BWgHsYdz8HDVdT9i9%2FF0E1pOmbiolDNeF8mXp99ACpK3qd2U%2F%2BRuTCllw%2FyP2w%2Fcb%2BbD95A%2FGn4L35YoXHpjrjshJrU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 872306a40cd39475-LHR
alt-svc: h2=":443"; ma=60
-
GEThttp://yxeepsek.net/suspended?a=3&u=20186239Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=oqc7adv0fg00kck2vcuof3dt2a
ResponseHTTP/1.1 200 OK
Date: Wed, 10 Apr 2024 13:18:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WkF9yH92o4fQUPG9EG2OZLZYmTglNYzBurbsRNtJ1pgiJoLn840aYbpvTXl%2FkYzQoICeMssT6WymC5ZhsGTd%2B4vYJ5r%2FYhRBYNSMKk7mULYneWrPGAfcDvk4vT6kN2Q%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 872306a58fba9475-LHR
alt-svc: h2=":443"; ma=60
-
64.91.240.248:443cutit.orgtls
-
64.190.63.136:80http://ww1.cutit.org/oxgBR?usid=25&utid=6411416439http
HTTP Request
GET http://ww1.cutit.org/oxgBR?usid=25&utid=6411416439HTTP Response
439 -
172.67.193.84:80http://q.gs/EVnYChttp
HTTP Request
GET http://q.gs/EVnYCHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http
HTTP Request
GET http://yxeepsek.net/-20ERKW/EVnYC?rndad=3211120935-1712755139HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
8.8.8.8:53cutit.orgdns
DNS Request
cutit.org
DNS Response
64.91.240.248
-
8.8.8.8:53ww1.cutit.orgdns
DNS Request
ww1.cutit.org
DNS Response
64.190.63.136
-
8.8.8.8:53q.gsdns
DNS Request
q.gs
DNS Response
172.67.193.84104.21.84.133
-
8.8.8.8:53yxeepsek.netdns
DNS Request
yxeepsek.net
DNS Response
172.67.194.101104.21.20.204
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266KB
MD56924becd88ac058bd7db24303271c2b0
SHA1b2b27c703391360117b0ddd6e49cc8aa602da51d
SHA256428663a760bc46674a3ce16e13020f9fb63af7c17089097f040bcbc742b5526f
SHA512aaa1baa0788146cf63846e994840ffdcb1c64e11b26c9b2c1e0bbf7df0505ba40ffdf2ac3af4012476742b3ef8f9de1041e3adfb6e9dce9bc21005a1bd3a31ca
-
Filesize
132KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
124KB
-
Filesize
536KB
-
Filesize
124KB
-
Filesize
132KB
-
Filesize
536KB