b85f5dc0033f98ef9fcab158cec28751306c39b05a790ec725b5e9bde8d4dcb5

Analysis

max time kernel
96s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
Size

554KB
MD5

f5ea2c4b8d649044a67fa73a2fbc05b8
SHA1

bd9537b8f49187eb56879564123442feca44df91
SHA256

b85f5dc0033f98ef9fcab158cec28751306c39b05a790ec725b5e9bde8d4dcb5
SHA512

ff288f88fbe07fba00b054a46cc9b0355638b8a460a14748a2fb97683f00841e2c536504158e6fe0552195544a6e187d4a5a172f43a14f872b6c68d0aa806ada
SSDEEP

6144:ee34R2VkSFVzh36dqXEV2rnCeZG/t7FTBqTzP7n7O7L6K2Bfo7pA:w2Vr3zh36VV2Go0ZTsnz7O7L6ju7pA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
5072	f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
PID:5072

Network

DNS

download.phpnuke.org

f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

download.phpnuke.org

IN A

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3C8BABFE31D06B7704DCBF9A306B6A60; domain=.bing.com; expires=Mon, 12-May-2025 13:55:17 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 898FB9E6767643ADB62B86548FE753D2 Ref B: LON04EDGE0918 Ref C: 2024-04-17T13:55:17Z
date: Wed, 17 Apr 2024 13:55:17 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3C8BABFE31D06B7704DCBF9A306B6A60

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0K2bQt7KoPphn-edBaDBWGF1kKhEcPe0T7L0dNSMdH8; domain=.bing.com; expires=Mon, 12-May-2025 13:55:18 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 43046A27EECF451599175A88BA963B6B Ref B: LON04EDGE0918 Ref C: 2024-04-17T13:55:18Z
date: Wed, 17 Apr 2024 13:55:17 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3C8BABFE31D06B7704DCBF9A306B6A60; MSPTC=0K2bQt7KoPphn-edBaDBWGF1kKhEcPe0T7L0dNSMdH8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 62FF7D057B204302A27B91CDE8D25CD7 Ref B: LON04EDGE0918 Ref C: 2024-04-17T13:55:18Z
date: Wed, 17 Apr 2024 13:55:17 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR

Response

25.24.18.2.in-addr.arpa

IN PTR

a2-18-24-25deploystaticakamaitechnologiescom
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR
DNS

248.81.21.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.81.21.2.in-addr.arpa

IN PTR

Response

248.81.21.2.in-addr.arpa

IN PTR

a2-21-81-248deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

tls, http2

1.9kB
10.5kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6112daa381ad4f6593df097a08fc1537&localId=w:82014CF4-DC18-5C6E-6DB2-ACA702FC47E3&deviceId=6896199938616243&anid=

HTTP Response

204

8.8.8.8:53

download.phpnuke.org

dns

f5ea2c4b8d649044a67fa73a2fbc05b8_JaffaCakes118.exe

66 B
128 B
1
1

DNS Request

download.phpnuke.org
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

25.24.18.2.in-addr.arpa

dns

276 B
131 B
4
1

DNS Request

25.24.18.2.in-addr.arpa

DNS Request

25.24.18.2.in-addr.arpa

DNS Request

25.24.18.2.in-addr.arpa

DNS Request

25.24.18.2.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

72.32.126.40.in-addr.arpa

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

248.81.21.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

248.81.21.2.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

21.236.111.52.in-addr.arpa

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3029.tmp\ioSpecial.ini

Filesize
1KB

MD5
732ae7ae61b996f83fabf90b2d3671af

SHA1
d193f22ae51e06083755b26c99d2c28d4d5c58d9

SHA256
4813487f8218f728bec715951c4adb6ed0faec915dbadf5e85a15c0b434930c8

SHA512
aa148f68be14c72e6d9b975a383f653e117ad0179a89835a8d6cc650c7248d845e4b9beee6b4a5be152614b624b66e91023084acc13e3968512b1fb6b3cfff21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.