Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 15:42

General

  • Target

    6b6ebf1923001878daa1fbf09640655c_JaffaCakes118.exe

  • Size

    219KB

  • MD5

    6b6ebf1923001878daa1fbf09640655c

  • SHA1

    d0c22d0277cea08f176d3b0e0cb030947e21851c

  • SHA256

    fc4c45524b459ee65fff5e9bc484cb1209cf89cff5e9e5a534d439533a95ceed

  • SHA512

    c195f8e15b63b9dfc4d890c79545450309080bbaed618a42faa428877b01562a5db25644615ce442cc2560739fec9b14b8036bea7ed144b48ef5e0581a969149

  • SSDEEP

    6144:8m168FmCFsPeN8fdoIg4j5T0MJHYV1o6ckOnNyjtnlQ:8iwvmN8fKl4j5AMJ13k+NulQ

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://103.140.238.125:443/directory/all/tags/dcf598ca-b5de-47d4-af33-ecabe9eaeee1

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_sleep

    2.68468224e+09

  • host

    103.140.238.125,/directory/all/tags/dcf598ca-b5de-47d4-af33-ecabe9eaeee1

  • http_header1

    AAAACQAAAAlvZz1hcHBfaWQAAAAQAAAAE0hvc3Q6IHd3dy50d2l0Y2gudHYAAAAKAAAAIEFjY2VwdDogdGV4dC9wbGFpbjtjaGFyc2V0PVVURi04AAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACktpbU5lNzhLY3gAAAABAAAADTZ3S2k1ZlhBcDMxa28AAAAGAAAACUNsaWVudC1JZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAAEAAAABNIb3N0OiBncWwudHdpdGNoLnR2AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAAAwAAAAIAAAAeInF1ZXJ5IjoiY3Mgb25saW5lIiwib3B0aW9ucyI6AAAAAQAAAB4sImV4dGVuc2lvbnMiOiJwZXJzaXN0ZWRRdWVyeSIAAAAEAAAABwAAAAAAAAANAAAAAgAAAA82MFUycjNySVloSDZ6aS0AAAABAAAAFC1DNnMyd08waFNZU2tvZ2hLUT09AAAABgAAAAlDbGllbnQtSWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    6144

  • maxdns

    244

  • polling_time

    63141

  • port_number

    443

  • sc_process32

    %windir%\syswow64\mfpmp.exe

  • sc_process64

    %windir%\sysnative\mfpmp.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNhBzcit/pmBVAe4IwGwtIADckSNF/F9EmZgXqGW+PWWQ7mAicB1pieRhSfoJwgPGsj8H5+fE1YfgVgalNRGbGqByhw4GfTv0bbeLr0oqNmUP/pP6TLaAcgV0EP0rFGUdDDXI/RHXAIor7jCGC0vfnQ9mrjtbIN99tWb+YYW8pbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.645355008e+09

  • unknown2

    AAAABAAAAAEAAAY4AAAAAgAADCoAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /gql

  • user_agent

    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

  • watermark

    0

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b6ebf1923001878daa1fbf09640655c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6b6ebf1923001878daa1fbf09640655c_JaffaCakes118.exe"
    1⤵
      PID:4612

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4612-0-0x00000000007A0000-0x00000000007DD000-memory.dmp

      Filesize

      244KB

    • memory/4612-1-0x0000000000400000-0x000000000043C510-memory.dmp

      Filesize

      241KB

    • memory/4612-2-0x00000000007A0000-0x00000000007DD000-memory.dmp

      Filesize

      244KB