a4b87b80b81e5b1ab43f2d3bb1def914eab5570573a7ea50e2d377283cb6a0fb

General

Target

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe
Size

316KB
MD5

2af8ed20917b3be123a78fccc68fd422
SHA1

07b138728d473e2cdc7fcab2a7191c9becd41c27
SHA256

a4b87b80b81e5b1ab43f2d3bb1def914eab5570573a7ea50e2d377283cb6a0fb
SHA512

eac87e0872edb0dd1b5b771650a24fbd6293ee03db644bfe13efd977975248d30bfa9667cc2d00dd31905cfab54006cd706696918211f5a1ec637a306ff0c6ba
SSDEEP

6144:6ribUzkuvcBYC47l2xLNaFmoKZLxtHU/TMDkW01eedmQb+xPT:6r7kuveY33FJUo7MDkA6a

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1876	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe
1876	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe
1876	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1876	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1876	2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1876

Network

DNS

c1.downlloaddatamy.info

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c1.downlloaddatamy.info

IN A

Response
DNS

r1.getapplicationmy.info

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

r1.getapplicationmy.info

IN A

Response

r1.getapplicationmy.info

IN A

108.59.12.101
DNS

c2.downlloaddatamy.info

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c2.downlloaddatamy.info

IN A

Response
DNS

c2.downlloaddatamy.info

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

c2.downlloaddatamy.info

IN A

Response
POST

http://r1.getapplicationmy.info/?report_version=5&

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

108.59.12.101:80

Request

POST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r1.getapplicationmy.info
Content-Length: 1888
Cache-Control: no-cache

Response

HTTP/1.1 429 Too Many Requests

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 17
date: Thu, 09 May 2024 17:02:37 GMT
server: nginx
set-cookie: sid=f034bc5f-0e25-11ef-bd11-f09428c10210; path=/; domain=.getapplicationmy.info; expires=Tue, 27 May 2092 20:16:44 GMT; max-age=2147483647; HttpOnly
DNS

r2.getapplicationmy.info

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

r2.getapplicationmy.info

IN A

Response

r2.getapplicationmy.info

IN A

94.229.72.120
POST

http://r2.getapplicationmy.info/?report_version=5&

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

Remote address:

94.229.72.120:80

Request

POST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r2.getapplicationmy.info
Content-Length: 1888
Cache-Control: no-cache
Cookie: sid=f034bc5f-0e25-11ef-bd11-f09428c10210

Response

HTTP/1.1 429 Too Many Requests

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 17
date: Thu, 09 May 2024 17:02:37 GMT
server: nginx

108.59.12.101:80

http://r1.getapplicationmy.info/?report_version=5&

http

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

2.4kB
640 B
7
7

HTTP Request

POST http://r1.getapplicationmy.info/?report_version=5&

HTTP Response

429
94.229.72.120:80

http://r2.getapplicationmy.info/?report_version=5&

http

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

2.4kB
478 B
7
7

HTTP Request

POST http://r2.getapplicationmy.info/?report_version=5&

HTTP Response

429

8.8.8.8:53

c1.downlloaddatamy.info

dns

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

69 B
148 B
1
1

DNS Request

c1.downlloaddatamy.info
8.8.8.8:53

r1.getapplicationmy.info

dns

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

70 B
86 B
1
1

DNS Request

r1.getapplicationmy.info

DNS Response

108.59.12.101
8.8.8.8:53

c2.downlloaddatamy.info

dns

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

138 B
296 B
2
2

DNS Request

c2.downlloaddatamy.info

DNS Request

c2.downlloaddatamy.info
8.8.8.8:53

r2.getapplicationmy.info

dns

2af8ed20917b3be123a78fccc68fd422_JaffaCakes118.exe

70 B
86 B
1
1

DNS Request

r2.getapplicationmy.info

DNS Response

94.229.72.120

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu40586626.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{1000FCCE-9655-4D53-AFB8-DE77CBE3DE38}\Custom.dll

Filesize
91KB

MD5
d2b596fa229e1b03704c9e9c3b4d4aa0

SHA1
19c57157c2e9b58037a7d2bca4909cbf125e9a23

SHA256
1bf33578f57d6436e916cc0734e8adc66a0e3c7ca5de1290601a73e3e362419d

SHA512
4e0d8ba8aea2c36ec79c86dcb6febe28ee0788d6a4d94231b5de10930e7fe0d285786bf6bfc3d85d8f1e83a4fb65f0f8a24e691c3298fce60ccef9a434a0d9c0

Download Submit
\Users\Admin\AppData\Local\Temp\{1000FCCE-9655-4D53-AFB8-DE77CBE3DE38}\_Setup.dll

Filesize
173KB

MD5
be16f8d320da824f0db58ef6d75c75c6

SHA1
9c3993bbfa92ca6d5dc2b2721716f5040bb22d82

SHA256
a2879be2df754addca789fdd9d7d52dff21687414a2579ed8e05aaf9fb283822

SHA512
bbe5e522f5ef988d2ff216a5afc16fd5ee39244839f4ec6382f77d70df1dfe11e35cfad1ec4446ff06849c04c1e681bf312a9ea9623f96eac9e0677bab7eb1f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.