Overview
overview
10Static
static
38f60440853...18.exe
windows7-x64
78f60440853...18.exe
windows10-2004-x64
10$1/1337/Ex.exe
windows7-x64
7$1/1337/Ex.exe
windows10-2004-x64
10$1/1337/Ex...0].exe
windows7-x64
1$1/1337/Ex...0].exe
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 20:49
Static task
static1
Behavioral task
behavioral1
Sample
8f604408532bc298c12de77e77d67652_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8f604408532bc298c12de77e77d67652_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$1/1337/Ex.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$1/1337/Ex.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$1/1337/ExtrimHack [free][22.08.2020].exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$1/1337/ExtrimHack [free][22.08.2020].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
8f604408532bc298c12de77e77d67652_JaffaCakes118.exe
-
Size
14.3MB
-
MD5
8f604408532bc298c12de77e77d67652
-
SHA1
b16d5cae22bd5af1919c107ff5c5786a1a8dfdf0
-
SHA256
354bf7f1899b9c1eec5cd0f24b75520ef811c12f22ad5e66ce595efcd26aea07
-
SHA512
cb0f3e11060630afd3ac597385652706fac40e683ddf0d4c2328dd2bc267e8e5f8426d1ea744e70f062e9a9ca489311735deca78394d312381b5136a5838d9fc
-
SSDEEP
393216:QoS9aM6LJYmNPViSfX88SEy0hme/RZkjX87EQiL7xZr7SWWjIj7:QoS976LJYOPA4X887vhnESmnreW77
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.url csrss.com -
Executes dropped EXE 4 IoCs
pid Process 2108 Ex.exe 2640 ExtrimHack [free][22.08.2020].exe 2736 csrss.com 2544 csrss.com -
Loads dropped DLL 5 IoCs
pid Process 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 2748 cmd.exe 2736 csrss.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2804 PING.EXE 2500 PING.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2736 csrss.com 2736 csrss.com 2736 csrss.com 2544 csrss.com 2544 csrss.com 2544 csrss.com -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2736 csrss.com 2736 csrss.com 2736 csrss.com 2544 csrss.com 2544 csrss.com 2544 csrss.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2108 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 28 PID 1264 wrote to memory of 2108 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 28 PID 1264 wrote to memory of 2108 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 28 PID 1264 wrote to memory of 2108 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 28 PID 1264 wrote to memory of 2640 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 29 PID 1264 wrote to memory of 2640 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 29 PID 1264 wrote to memory of 2640 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 29 PID 1264 wrote to memory of 2640 1264 8f604408532bc298c12de77e77d67652_JaffaCakes118.exe 29 PID 2108 wrote to memory of 2860 2108 Ex.exe 30 PID 2108 wrote to memory of 2860 2108 Ex.exe 30 PID 2108 wrote to memory of 2860 2108 Ex.exe 30 PID 2108 wrote to memory of 2860 2108 Ex.exe 30 PID 2108 wrote to memory of 2616 2108 Ex.exe 32 PID 2108 wrote to memory of 2616 2108 Ex.exe 32 PID 2108 wrote to memory of 2616 2108 Ex.exe 32 PID 2108 wrote to memory of 2616 2108 Ex.exe 32 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2748 wrote to memory of 2804 2748 cmd.exe 35 PID 2748 wrote to memory of 2804 2748 cmd.exe 35 PID 2748 wrote to memory of 2804 2748 cmd.exe 35 PID 2748 wrote to memory of 2804 2748 cmd.exe 35 PID 2748 wrote to memory of 2636 2748 cmd.exe 36 PID 2748 wrote to memory of 2636 2748 cmd.exe 36 PID 2748 wrote to memory of 2636 2748 cmd.exe 36 PID 2748 wrote to memory of 2636 2748 cmd.exe 36 PID 2748 wrote to memory of 2736 2748 cmd.exe 37 PID 2748 wrote to memory of 2736 2748 cmd.exe 37 PID 2748 wrote to memory of 2736 2748 cmd.exe 37 PID 2748 wrote to memory of 2736 2748 cmd.exe 37 PID 2748 wrote to memory of 2500 2748 cmd.exe 38 PID 2748 wrote to memory of 2500 2748 cmd.exe 38 PID 2748 wrote to memory of 2500 2748 cmd.exe 38 PID 2748 wrote to memory of 2500 2748 cmd.exe 38 PID 2736 wrote to memory of 2544 2736 csrss.com 39 PID 2736 wrote to memory of 2544 2736 csrss.com 39 PID 2736 wrote to memory of 2544 2736 csrss.com 39 PID 2736 wrote to memory of 2544 2736 csrss.com 39 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40 PID 2544 wrote to memory of 1644 2544 csrss.com 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f604408532bc298c12de77e77d67652_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f604408532bc298c12de77e77d67652_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Roaming\1337\Ex.exe"C:\Users\Admin\AppData\Roaming\1337\Ex.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo pUVyOKPt3⤵PID:2860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir C:\Users\Admin\AppData\Roaming\Sysfiles & cmd < XuGJAWtEjFqgoZUl.com3⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\PING.EXEping -n 1 moLu.nnnbID5⤵
- Runs ping.exe
PID:2804
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode qTh.com y5⤵PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comcsrss.com y5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com y6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe7⤵PID:1644
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
PID:2500
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][22.08.2020].exe"C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][22.08.2020].exe"2⤵
- Executes dropped EXE
PID:2640
-
Network
-
Remote address:8.8.8.8:53RequestmoLu.nnnbIDIN AResponse
-
Remote address:8.8.8.8:53RequestchpMHpkOfJY.chpMHpkOfJYIN AResponse
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921KB
MD5c317736793ef5129f12a3568cd679422
SHA1e68b55969c5f2159c847a629fac3731c0c315d53
SHA256cbb5d906c63cbcb891b35e53156b643ac26c5dec922f43b2fd121ccca60beb62
SHA51269cb5fd5f1a30c3c786ca945b8de6a460d03605fc3416a3c33e69691603e1a43ad0cfefe9cd5d6af1a154b701ecf34526cc05d9235a4e38acf994eb0edb1a82c
-
Filesize
398B
MD50047726ce0f38e02fda2068d7ff7ceff
SHA10702fd3e290b95b70b5fc3b70cdb57c808baceb7
SHA2560423e080422306752ccf52e4639a8f6e58596176e730d10bd812012ccf4f296b
SHA51200b525c341b3297e3b011065b32bab9d29eee920e7faebea93e4fcc4fef69b166c11c10291cc9ba9b931551eca3dc9ddae27b681c4d4423478ea3a65d29c7d83
-
Filesize
2.3MB
MD509cc8b02108c2ca6db6197e37b165a65
SHA19f245c5206ce171cfc288ed8bf05896d1b36a1f0
SHA25689ad1822d2ee2d5e39d2e4aae2016562244f7ea43071c192e8989a3c2544d998
SHA512d50c20b554dd85996f8b7432fb3d3668c3fbfcd77314a4adc476861373a0350b122be61ab1aa087153e45c48cf6a453d0829ccfa4786cf679ee3dccb7cffadae
-
Filesize
1.1MB
MD513a508782d30a527e997a64996920287
SHA14628a103700d13b6f3920b3a8a06e9757bf0a9eb
SHA256e06ad6278f8cdccb51ed58aee3d6ba97bd770b2d8b827746e539770fc959354e
SHA512cd860c7c8eea0faf0e62f1e695f60c02050c284617265f3e9c11dac4e4cbea34cb656719ae6bdeb39a36dd1446bb443cbcf9c9f4a595c1749f9088d7c082d142
-
Filesize
842KB
MD5dbcc4336d132df084c59bbddff9693f5
SHA1172d404379f6d288db4eacaa11bf0fa1ccffa451
SHA256ea3b51ae7fb4264cd4aca28f02fa027bb25ce69a9ece5ff1f9f581b1ae62c84e
SHA512d7209e47c9ef7e8f0db4bc736828e79d745415dde0dbaa7b4d5a21d6ee3406b139f3565cdcae16911c330d3ebbe1bcbe77f5e40d2313909a3b7b58697d3d4e34
-
Filesize
11.3MB
MD5fe3a88a304364f9c854c512de19a4e94
SHA1987b853451fa2f61b752e47ab96f3e9de8340d41
SHA256b092117610e94505469547b4297da5dc4ed48af078dae45515a4d9fc211c541b
SHA512f88008b5ab5ec1016314bf67e99ba166522546709029f9fec2477e9b2604cc0a32829c046de5104c1ac4ec89bb3e141ed528c74e6d8a8190baf95272ac223396
-
Filesize
921KB
MD58ed172328f643375ac09b31ffba0eb63
SHA1c6716e5e5a311f597e37c5660b0387ab8f77b2a0
SHA25623e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
SHA51279efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
3.1MB
MD57afcb8667f1ec33f0cc084936a8a4044
SHA1a2755123f3515fbfcbd5b1ab38c22fa757b8afa8
SHA2562304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71
SHA512bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8