Overview
overview
10Static
static
341b93173a8...18.exe
windows7-x64
1041b93173a8...18.exe
windows10-2004-x64
10$APPDATA/9...60.dll
windows7-x64
1$APPDATA/9...60.dll
windows10-2004-x64
1$APPDATA/m...pad.ko
ubuntu-18.04-amd64
$APPDATA/s...60.dll
windows7-x64
1$APPDATA/s...60.dll
windows10-2004-x64
1$APPDATA/s...te.dll
windows7-x64
1$APPDATA/s...te.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$TEMP/aspnetwp.exe
windows7-x64
1$TEMP/aspnetwp.exe
windows10-2004-x64
1$TEMP/planula.dll
windows7-x64
4$TEMP/planula.dll
windows10-2004-x64
4Analysis
-
max time kernel
116s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$APPDATA/9.opends60.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$APPDATA/9.opends60.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$APPDATA/matrixkeypad.ko
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral6
Sample
$APPDATA/season/INDEXTYPE/emailAddress/directory/48.opends60.dll
Resource
win7-20240419-en
Behavioral task
behavioral7
Sample
$APPDATA/season/INDEXTYPE/emailAddress/directory/48.opends60.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
$APPDATA/season/INDEXTYPE/emailAddress/directory/IEExecRemote.dll
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
$APPDATA/season/INDEXTYPE/emailAddress/directory/IEExecRemote.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/aspnetwp.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
$TEMP/aspnetwp.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/planula.dll
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
$TEMP/planula.dll
Resource
win10v2004-20240226-en
General
-
Target
41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
-
Size
538KB
-
MD5
41b93173a8b5583daaf090438fb05004
-
SHA1
a0db1a8f024e95fbc5c4c4930a4f6f905bbcab24
-
SHA256
b87cfba8a4f2329b0b372326a7f169f5896459a6bdae0ad8857b576129722204
-
SHA512
a770ed85694301daa0b8f9c46dbc25207411b888d6d1a358a816590f0c3bbfad05bd438545554e6c3ce391be6b640acbf69819f38aab0dd235caf2d17962be57
-
SSDEEP
12288:kNi7Ynlwt1fL+RcGNh25nxXLZmW2PjlyjkvGha:kNk+lwrEcEc5nRLZj2PjlyTa
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 6692 notepad.exe 5848 GetX64BTIT.exe -
Loads dropped DLL 2 IoCs
pid Process 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 api.ipify.org 34 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe -
pid Process 5956 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 344 6692 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 5956 powershell.exe 5956 powershell.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe 6692 notepad.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5956 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6692 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84 PID 1976 wrote to memory of 6692 1976 41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6692 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"3⤵
- Executes dropped EXE
PID:5848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6692 -s 15283⤵
- Program crash
PID:344
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\"""2⤵PID:6004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6692 -ip 66921⤵PID:4184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
162KB
MD5e92d3a824a0578a50d2dd81b5060145f
SHA150ef7c645fd5cbb95d50fbaddf6213800f9296ec
SHA25687f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661
SHA51240d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
72KB
MD56abeff0d3c52cf017e36e941f035c3e9
SHA1ba0f193dd98a5502c29c4f5671ed066e2a3ae38c
SHA256da93766a660b71b43492920bdb0478359fe86a17a3f51a0329cf6ac77e0852b2
SHA5128b256cc4787c7aee904e36c3772916a5d06c5bde96e9bda3897ca1e7e7e1099d5e46e0d921bed64a1633a91508301ee8568211f02d7dac5dde9f84a57a5ac0a7
-
Filesize
28B
MD52c59de1525addd4762cc303997abd6bc
SHA15c171c0a5ccbbc51bb649c71773f88322e484cae
SHA256127fe125ee5dd9f16ab18ca9d92b5c994fb4cdfec22f1326366c170f4663947b
SHA5129ac84fb6161ae4f2d4a036a65ce570158ab04b7858974600668860349ff3e7cbb02a47ee06cec6361d04802670675b4855b69437d7c6cbdbe7546b2a4783c439
-
Filesize
131B
MD59848e4efb0abd437d65e6d3d1d973adb
SHA1f427ac7c50b19f66658ae7f92cbaf21110b49a47
SHA256c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f
SHA512f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17