Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 07:59
Static task
static1
Behavioral task
behavioral1
Sample
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe
-
Size
347KB
-
MD5
8d6186658958e29ff84ac8e8d45c96cf
-
SHA1
0418a6f893eb8095cc5c2cdc702bd7c420739c00
-
SHA256
0b501e2cedad1838304551cb04498cfe2f47fb31ca7c0a4a05bd444a7f039158
-
SHA512
862c2b257386ad23f9a520e65a5595517294fa9f4425c94055f0db7a2714b7b000744beb170f630999a701128a8131632137bb0b81ba7052eddcd2a5c0a85f5a
-
SSDEEP
3072:c3X55K8ivf2WETl4QuNRLurVzwefoh5/nmXkQr5D0elEo81WZfZ4bIGDiIkya9gu:+we8/mzielEP1aZ4cGOI+gSS3rM
Malware Config
Signatures
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 148.103.9.108 Destination IP 148.103.9.108 -
Drops file in System32 directory 1 IoCs
Processes:
cultureright.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat cultureright.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
Processes:
cultureright.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings cultureright.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections cultureright.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad cultureright.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F}\WpadNetworkName = "Network 3" cultureright.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-75-3c-d0-00-a9 cultureright.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-75-3c-d0-00-a9\WpadDecisionTime = 800a1bd4c2b4da01 cultureright.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cultureright.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings cultureright.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" cultureright.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F}\WpadDecisionReason = "1" cultureright.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F}\WpadDecision = "0" cultureright.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cultureright.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F} cultureright.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F}\WpadDecisionTime = 800a1bd4c2b4da01 cultureright.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cultureright.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E002F39-DA80-4324-BB66-FA53DA95378F}\76-75-3c-d0-00-a9 cultureright.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-75-3c-d0-00-a9\WpadDecisionReason = "1" cultureright.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-75-3c-d0-00-a9\WpadDecision = "0" cultureright.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.execultureright.execultureright.exepid process 1904 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 2656 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 2704 cultureright.exe 2696 cultureright.exe 2696 cultureright.exe 2696 cultureright.exe 2696 cultureright.exe 2696 cultureright.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exepid process 2656 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.execultureright.exedescription pid process target process PID 1904 wrote to memory of 2656 1904 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 1904 wrote to memory of 2656 1904 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 1904 wrote to memory of 2656 1904 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 1904 wrote to memory of 2656 1904 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 2704 wrote to memory of 2696 2704 cultureright.exe cultureright.exe PID 2704 wrote to memory of 2696 2704 cultureright.exe cultureright.exe PID 2704 wrote to memory of 2696 2704 cultureright.exe cultureright.exe PID 2704 wrote to memory of 2696 2704 cultureright.exe cultureright.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2656
-
C:\Windows\SysWOW64\cultureright.exe"C:\Windows\SysWOW64\cultureright.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cultureright.exe"C:\Windows\SysWOW64\cultureright.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2696