Resubmissions
11-04-2024 11:14
240411-nb5z8sdd7y 1011-04-2024 11:14
240411-nb5dpsdd7w 1011-04-2024 11:14
240411-nb43yaac56 1011-04-2024 11:14
240411-nb3vwadd7t 1011-04-2024 11:14
240411-nb3j4sac55 1009-04-2024 03:54
240409-egc2zahd2z 1009-04-2024 03:53
240409-ef443adg89 1009-04-2024 03:53
240409-efxd8ahc9v 1009-04-2024 03:53
240409-efmvsahc8w 1003-04-2024 00:16
240403-akzypahh9t 10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 11:14
Behavioral task
behavioral1
Sample
9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
-
Size
7.6MB
-
MD5
9b035bad2b8a21fb2c57fd784c89b8d5
-
SHA1
ee15fad65f3f22df7f54e218176c45d369ebb70f
-
SHA256
2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c
-
SHA512
96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde
-
SSDEEP
196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/
Malware Config
Extracted
bitrat
1.32
7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
dllhost
Signatures
-
BitRAT payload 2 IoCs
resource yara_rule behavioral3/memory/3832-0-0x0000000000400000-0x0000000000BAA000-memory.dmp family_bitrat behavioral3/memory/3832-56-0x0000000000400000-0x0000000000BAA000-memory.dmp family_bitrat -
ACProtect 1.3x - 1.4x DLL software 7 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral3/files/0x00070000000231fb-18.dat acprotect behavioral3/files/0x00070000000231fc-19.dat acprotect behavioral3/files/0x0007000000023202-23.dat acprotect behavioral3/files/0x00070000000231fe-24.dat acprotect behavioral3/files/0x00070000000231ff-22.dat acprotect behavioral3/files/0x0007000000023200-32.dat acprotect behavioral3/files/0x00070000000231fd-30.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 3968 dllhost.exe 3320 dllhost.exe 1696 dllhost.exe 1456 dllhost.exe -
Loads dropped DLL 31 IoCs
pid Process 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3968 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 3320 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1696 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe -
resource yara_rule behavioral3/files/0x0007000000023201-14.dat upx behavioral3/files/0x00070000000231fb-18.dat upx behavioral3/files/0x00070000000231fc-19.dat upx behavioral3/files/0x0007000000023202-23.dat upx behavioral3/memory/3968-25-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-34-0x0000000073F20000-0x0000000073FE8000-memory.dmp upx behavioral3/memory/3968-33-0x0000000073FF0000-0x00000000740BE000-memory.dmp upx behavioral3/files/0x00070000000231fe-24.dat upx behavioral3/files/0x00070000000231ff-22.dat upx behavioral3/files/0x0007000000023200-32.dat upx behavioral3/files/0x00070000000231fd-30.dat upx behavioral3/memory/3968-37-0x0000000073EF0000-0x0000000073F14000-memory.dmp upx behavioral3/memory/3968-38-0x0000000073DE0000-0x0000000073EEA000-memory.dmp upx behavioral3/memory/3968-39-0x0000000073D50000-0x0000000073DD8000-memory.dmp upx behavioral3/memory/3968-40-0x0000000001250000-0x00000000012D8000-memory.dmp upx behavioral3/memory/3968-43-0x00000000740C0000-0x0000000074109000-memory.dmp upx behavioral3/memory/3968-46-0x0000000073A80000-0x0000000073D4F000-memory.dmp upx behavioral3/memory/3968-48-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-50-0x0000000073FF0000-0x00000000740BE000-memory.dmp upx behavioral3/memory/3968-51-0x0000000073F20000-0x0000000073FE8000-memory.dmp upx behavioral3/memory/3968-52-0x0000000073EF0000-0x0000000073F14000-memory.dmp upx behavioral3/memory/3968-55-0x0000000073A80000-0x0000000073D4F000-memory.dmp upx behavioral3/memory/3968-57-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-58-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-76-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-90-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-116-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-133-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3968-141-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3320-159-0x0000000073A80000-0x0000000073D4F000-memory.dmp upx behavioral3/memory/3320-161-0x0000000073F20000-0x0000000073FE8000-memory.dmp upx behavioral3/memory/3320-162-0x0000000073FF0000-0x00000000740BE000-memory.dmp upx behavioral3/memory/3320-163-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/3320-165-0x0000000073A80000-0x0000000073D4F000-memory.dmp upx behavioral3/memory/3320-167-0x0000000073EF0000-0x0000000073F14000-memory.dmp upx behavioral3/memory/3320-170-0x0000000073D50000-0x0000000073DD8000-memory.dmp upx behavioral3/memory/3320-169-0x0000000073DE0000-0x0000000073EEA000-memory.dmp upx behavioral3/memory/3320-164-0x00000000740C0000-0x0000000074109000-memory.dmp upx behavioral3/memory/3320-156-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/1696-188-0x0000000073A80000-0x0000000073B48000-memory.dmp upx behavioral3/memory/1696-189-0x0000000072950000-0x0000000072999000-memory.dmp upx behavioral3/memory/1696-190-0x0000000072920000-0x0000000072944000-memory.dmp upx behavioral3/memory/1696-197-0x0000000072780000-0x0000000072808000-memory.dmp upx behavioral3/memory/1696-194-0x0000000072810000-0x000000007291A000-memory.dmp upx behavioral3/memory/1696-198-0x00000000726B0000-0x000000007277E000-memory.dmp upx behavioral3/memory/1696-199-0x0000000073B50000-0x0000000073E1F000-memory.dmp upx behavioral3/memory/1696-215-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/1696-224-0x0000000073A80000-0x0000000073B48000-memory.dmp upx behavioral3/memory/1456-250-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/1456-252-0x0000000073B50000-0x0000000073E1F000-memory.dmp upx behavioral3/memory/1456-254-0x0000000073A80000-0x0000000073B48000-memory.dmp upx behavioral3/memory/1456-259-0x0000000072950000-0x0000000072999000-memory.dmp upx behavioral3/memory/1456-255-0x00000000726B0000-0x000000007277E000-memory.dmp upx behavioral3/memory/1456-264-0x0000000072810000-0x000000007291A000-memory.dmp upx behavioral3/memory/1456-262-0x0000000072920000-0x0000000072944000-memory.dmp upx behavioral3/memory/1696-261-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/1456-266-0x0000000072780000-0x0000000072808000-memory.dmp upx behavioral3/memory/1456-272-0x00000000001E0000-0x00000000005E4000-memory.dmp upx behavioral3/memory/1456-275-0x00000000726B0000-0x000000007277E000-memory.dmp upx behavioral3/memory/1456-274-0x0000000073A80000-0x0000000073B48000-memory.dmp upx behavioral3/memory/1456-273-0x0000000073B50000-0x0000000073E1F000-memory.dmp upx -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 93 myexternalip.com 96 myexternalip.com 70 myexternalip.com 71 myexternalip.com 82 myexternalip.com -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe Token: SeShutdownPrivilege 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3832 wrote to memory of 3968 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 86 PID 3832 wrote to memory of 3968 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 86 PID 3832 wrote to memory of 3968 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 86 PID 3832 wrote to memory of 3320 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 93 PID 3832 wrote to memory of 3320 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 93 PID 3832 wrote to memory of 3320 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 93 PID 3832 wrote to memory of 1696 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 94 PID 3832 wrote to memory of 1696 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 94 PID 3832 wrote to memory of 1696 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 94 PID 3832 wrote to memory of 1456 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 95 PID 3832 wrote to memory of 1456 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 95 PID 3832 wrote to memory of 1456 3832 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3968
-
-
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3320
-
-
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696
-
-
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD50835d3d4e33448f964c841ed6ca4fc64
SHA1b6357bdef526ac57ad0c8214e317fb4dc4aabf29
SHA256d5d01724b60f192552c94adde7670780698d41a4e727567684bb02ce0a674064
SHA51242a019ecda56de675295b5b0d98be24b89d543ec94fe607257d9acf3d2ab0c8d2b5461c90b8ee996c8092bb35d635223b9b418c2365c4d8f0addab3463fef194
-
Filesize
2.7MB
MD5a1ef6838f217c027c3abe2eb5891dc6c
SHA1a93bdbe5e553e23e45378153fb86026a76741fd0
SHA25643d67abc74bf54528d587ced07804275f3bc4d046f495d6bb931a101f0e99bd8
SHA512e81782ea2293bc3e52320446b8b83a31bd82647bc470396bac8c54e9d58a7b79aa11c6cd48e8d0fa1fdc5144a5c6bcaa89b0b4daa905b3075ee2706fa0ed10b7
-
Filesize
20.3MB
MD5d2030c3b9beea65e59a3f69e691d8dd1
SHA10040fbbff197bdd0435f7bfe58b864d07f9e7023
SHA256150aaa4eb3913540ac337256f7ac046bb754c8917b5988d15979dbb6a5b6dd5c
SHA512eaf4aae7569300f43e44ca1f79ce7f364b8f0bf0cbec26367345e54cc12c9c0ce2594c932847aacb27cdef5de5e48eced7959abb5ddd6d3962798174d6e85dc0
-
Filesize
7.0MB
MD5032c63fe4e0feb3adf0ab023221f0b12
SHA11954376072de5fd722f43926c21dea93aefe2914
SHA2561fef0964ae052adddb78a78ca9858c58efb3cf429d739ee65935c5e0a765529e
SHA51249d501e26f9535fec017ee9fb68fabc2a9683b966e0d5b1c671511a24c388d08f40f4b69dca6f7d67dd7e27748d879aaee77dabbfda5f7ce0adc03610d6f6f04
-
Filesize
9KB
MD50cd45c9b5e3d1990558d088a0546becf
SHA1db862ee4b98ae633ac5c264dcb700b71f7294631
SHA256654dd90152f1e45645b0adc0a2332bd10bd367bcbd3b9f1689acf22d3a887a61
SHA512f0b59d2225c72014315c553384476a749c703162fb6ff0f3b7a2fc34e54744426895023e6b2a4a2e3a287345cddef24b13a5e51d99e3ed03f1904f336e3d3105
-
Filesize
973KB
MD55cfe61ff895c7daa889708665ef05d7b
SHA15e58efe30406243fbd58d4968b0492ddeef145f2
SHA256f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA51243b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da
-
Filesize
1.7MB
MD52384a02c4a1f7ec481adde3a020607d3
SHA17e848d35a10bf9296c8fa41956a3daa777f86365
SHA256c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA5121ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503
-
Filesize
366KB
MD5099983c13bade9554a3c17484e5481f1
SHA1a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA51289f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2
-
Filesize
286KB
MD5b0d98f7157d972190fe0759d4368d320
SHA15715a533621a2b642aad9616e603c6907d80efc4
SHA2562922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA51241ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496
-
Filesize
439KB
MD5c88826ac4bb879622e43ead5bdb95aeb
SHA187d29853649a86f0463bfd9ad887b85eedc21723
SHA256c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3
-
Filesize
88KB
MD52c916456f503075f746c6ea649cf9539
SHA1fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA5121c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd
-
Filesize
188KB
MD5d407cc6d79a08039a6f4b50539e560b8
SHA121171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA25692cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c
-
Filesize
139B
MD5dbd537e3da06f7d7aeaf58f4decc0c94
SHA17e740ea6dcf8545710f99519014e9bb029028a84
SHA256349b36a467d778e29b96528cdd25d6c34a54be659a9ef516b3833106ceb679b2
SHA512a84633c420c825b15ef2fc5cf83a6d75fcdddbb06d3b7dc74537d5bc98b5d910d3dec4838f30be3a06373662d2946f156f36bd2e033e0b6089753006ac327a90
-
Filesize
52KB
MD5add33041af894b67fe34e1dc819b7eb6
SHA16db46eb021855a587c95479422adcc774a272eeb
SHA2568688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa