General
-
Target
13dc06f507f4065d2b4ec6aceb6be914_JaffaCakes118
-
Size
463KB
-
Sample
240504-wmxr1adf5y
-
MD5
13dc06f507f4065d2b4ec6aceb6be914
-
SHA1
499ab8632d6e65d7d8c1764bbf32ded1edc77caf
-
SHA256
325ae5820e59f2ca5d1b5efd8c03ee3a39327aa15ca846847edc8b00dd50803d
-
SHA512
01e8e470ccfb0512dc8d2ea09ced261a19cb6c34810eb898bd491829636e49c299aa0d827a32b969b7925cd44a5ce00401ac589a8dbcdfc4837cd42d950e6dba
-
SSDEEP
6144:yjNU2JGxqoOMWFZ3K1n1V171wMMEiTxkbNZTZktVZZpBVxQ:yjFQwoArKd1V7wMMFGbNZTZ6vXB3Q
Static task
static1
Behavioral task
behavioral1
Sample
13dc06f507f4065d2b4ec6aceb6be914_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
13dc06f507f4065d2b4ec6aceb6be914_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_READ_THI$_FILE_7AJ0X64Q_.txt
http://p27dokhpz2n7nvgr.onion/4455-E2B2-A395-0091-B683
http://p27dokhpz2n7nvgr.1nhkou.top/4455-E2B2-A395-0091-B683
http://p27dokhpz2n7nvgr.1a7wnt.top/4455-E2B2-A395-0091-B683
http://p27dokhpz2n7nvgr.1czh7o.top/4455-E2B2-A395-0091-B683
http://p27dokhpz2n7nvgr.1hpvzl.top/4455-E2B2-A395-0091-B683
http://p27dokhpz2n7nvgr.1pglcs.top/4455-E2B2-A395-0091-B683
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THI$_FILE_6CAEZSW_.txt
http://p27dokhpz2n7nvgr.onion/EC16-40DB-E5C9-0091-B574
http://p27dokhpz2n7nvgr.1nhkou.top/EC16-40DB-E5C9-0091-B574
http://p27dokhpz2n7nvgr.1a7wnt.top/EC16-40DB-E5C9-0091-B574
http://p27dokhpz2n7nvgr.1czh7o.top/EC16-40DB-E5C9-0091-B574
http://p27dokhpz2n7nvgr.1hpvzl.top/EC16-40DB-E5C9-0091-B574
http://p27dokhpz2n7nvgr.1pglcs.top/EC16-40DB-E5C9-0091-B574
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THI$_FILE_GCT2UODF_.hta
cerber
Targets
-
-
Target
13dc06f507f4065d2b4ec6aceb6be914_JaffaCakes118
-
Size
463KB
-
MD5
13dc06f507f4065d2b4ec6aceb6be914
-
SHA1
499ab8632d6e65d7d8c1764bbf32ded1edc77caf
-
SHA256
325ae5820e59f2ca5d1b5efd8c03ee3a39327aa15ca846847edc8b00dd50803d
-
SHA512
01e8e470ccfb0512dc8d2ea09ced261a19cb6c34810eb898bd491829636e49c299aa0d827a32b969b7925cd44a5ce00401ac589a8dbcdfc4837cd42d950e6dba
-
SSDEEP
6144:yjNU2JGxqoOMWFZ3K1n1V171wMMEiTxkbNZTZktVZZpBVxQ:yjFQwoArKd1V7wMMFGbNZTZ6vXB3Q
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1095) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-