Overview

overview

7

Static

static

7

19ada4f485...18.exe

windows7-x64

7

19ada4f485...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 09:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe

  • Size

    133KB

  • MD5

    19ada4f485685897d1582a02110fb67d

  • SHA1

    e87f2d2f265e81954a64a47fe7f7b89549276ca7

  • SHA256

    cd302cc3898fd0a1803cd8203844c5f90463c37f8c3ff41f45d8e6a1575f5d72

  • SHA512

    b52b0086652bff45197e145bce7836d0e193d81841108e8063ddb4f9b25401e3dbe3b8c01434894b0d0ecdc3d97d959a770f6c90e2a9bfe95f96be036c85641d

  • SSDEEP

    3072:3af33NYvGpEJ7aD7OgHPtAkTiH41k0z+BNvZwcFGQ:Kf+vGw7COY9TiY1wTqQ

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:1796

Network

  • flag-us
    DNS
    cutit.org
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    172.232.4.213
    cutit.org
    IN A
    172.232.31.180
    cutit.org
    IN A
    172.232.25.148
  • flag-us
    DNS
    q.gs
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    q.gs
    IN A
    Response
    q.gs
    IN A
    172.67.193.84
    q.gs
    IN A
    104.21.84.133
  • flag-us
    GET
    http://q.gs/EVnYC
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    172.67.193.84:80
    Request
    GET /EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: q.gs
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Fri, 28 Jun 2024 09:47:13 GMT
    Content-Type: text/html
    Content-Length: 143
    Connection: keep-alive
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6T5xPhbLJnF3%2FZFMIX1L6aJ0ktwclkvVHfPv4SGUW2PML%2FqSnNi9mj72cLowY19EVLWM2ZYVQWQ%2F%2BOfTHCtdrIwlVdfpPRPKywdkXWghlKmgHcUQyJ8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89acc10f4fc27735-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    publisher.linkvertise.com
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    publisher.linkvertise.com
    IN A
    Response
    publisher.linkvertise.com
    IN A
    104.22.22.72
    publisher.linkvertise.com
    IN A
    172.67.31.186
    publisher.linkvertise.com
    IN A
    104.22.23.72
  • flag-us
    GET
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    104.22.22.72:443
    Request
    GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: publisher.linkvertise.com
    Response
    HTTP/1.1 302 Found
    Date: Fri, 28 Jun 2024 09:47:13 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://linkvertise.com/adfly-notice
    Cache-Control: no-cache, private
    vary: Origin
    set-cookie: laravel_session=TmZkImd28LsK1u9Geyq1mtDjdIodAOj08UgDKDQ2; expires=Sat, 28 Jun 2025 09:47:13 GMT; Max-Age=31536000; path=/; domain=.linkvertise.com; httponly
    CF-Cache-Status: DYNAMIC
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 89acc1133a126700-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    linkvertise.com
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    linkvertise.com
    IN A
    Response
    linkvertise.com
    IN A
    104.22.22.72
    linkvertise.com
    IN A
    172.67.31.186
    linkvertise.com
    IN A
    104.22.23.72
  • flag-us
    GET
    https://linkvertise.com/adfly-notice
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    104.22.22.72:443
    Request
    GET /adfly-notice HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: linkvertise.com
    Cookie: laravel_session=TmZkImd28LsK1u9Geyq1mtDjdIodAOj08UgDKDQ2
    Response
    HTTP/1.1 200 OK
    Date: Fri, 28 Jun 2024 09:47:14 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    Link: <//cdn.exmarketplace.com>; rel="preconnect", <//securepubads.g.doubleclick.net>; rel="preconnect"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=flK6Ge%2BYcxI8wjUZx1Q4uVKJTZdKcUzP9oNykWChi5qKlx%2Bw%2Ffr4dsbbk75smK3UaAHdaxifrTy74M8gEV4M%2BQCBtKpr5CrqHaeQb8OTVr4O0Wf9eIY0RRL8LJh%2B2G2raNo%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 89acc1195ae1660e-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    23.63.101.171
    a1952.dscq.akamai.net
    IN A
    23.63.101.153
  • flag-nl
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Remote address:
    23.63.101.171:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Fri, 28 Jun 2024 10:47:14 GMT
    Date: Fri, 28 Jun 2024 09:47:14 GMT
    Connection: keep-alive
  • 172.232.4.213:443
    cutit.org
    tls
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    390 B
     219 B
     5
    5
  • 172.232.4.213:443
    cutit.org
    tls
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    352 B
     219 B
     5
    5
  • 172.232.4.213:443
    cutit.org
    tls
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    288 B
     219 B
     5
    5
  • 172.232.4.213:443
    cutit.org
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    190 B
     132 B
     4
    3
  • 172.67.193.84:80
    http://q.gs/EVnYC
    http
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    434 B
     2.0kB
     6
    5

    HTTP Request

    GET http://q.gs/EVnYC

    HTTP Response

    302
  • 104.22.22.72:443
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    tls, http
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    1.1kB
     6.8kB
     11
    12

    HTTP Request

    GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

    HTTP Response

    302
  • 104.22.22.72:443
    https://linkvertise.com/adfly-notice
    tls, http
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    2.0kB
     54.0kB
     31
    50

    HTTP Request

    GET https://linkvertise.com/adfly-notice

    HTTP Response

    200
  • 23.63.101.171:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    369 B
     1.6kB
     5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 8.8.8.8:53
    cutit.org
    dns
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    55 B
     103 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    172.232.4.213
    172.232.31.180
    172.232.25.148

  • 8.8.8.8:53
    q.gs
    dns
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    50 B
     82 B
     1
    1

    DNS Request

    q.gs

    DNS Response

    172.67.193.84
    104.21.84.133

  • 8.8.8.8:53
    publisher.linkvertise.com
    dns
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    71 B
     119 B
     1
    1

    DNS Request

    publisher.linkvertise.com

    DNS Response

    104.22.22.72
    172.67.31.186
    104.22.23.72

  • 8.8.8.8:53
    linkvertise.com
    dns
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    61 B
     109 B
     1
    1

    DNS Request

    linkvertise.com

    DNS Response

    104.22.22.72
    172.67.31.186
    104.22.23.72

  • 8.8.8.8:53
    apps.identrust.com
    dns
    19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    64 B
     165 B
     1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    23.63.101.171
    23.63.101.153

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4e583b54cff596103f41f06f3a674c69

    SHA1

    ced44d7a219fea4242c2ebe9f8909e46496323d6

    SHA256

    68c57f4e0e599cf8dd847ba9dd72b72e92e439fa66b0c008ab0a289c5224c023

    SHA512

    c39ad6e2033ab58bebfe0d2c8101469cc928d17cdb08b9b86cc49f8bb39d48b13d6c76ae57af790dc5df301173b44e8886d040ef8e266f5279db595c15d16196

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    377f3e64b4bfcca92410268a0845a018

    SHA1

    a4acb2547737d673979743776ff85cd67f19e0ae

    SHA256

    54764499841d00ac08a0850e673eaa46f1ce53564fca181870d8e3e24bbe3a57

    SHA512

    f4805f51275205f56c8024d5aaac2a67265f996334b35fc30b0e9bcd3b1e7205a4591fe61c31c27bb9c097603461472888f367440139fd0181d0f658f0f58178

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2F8B.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2F9D.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar309D.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\19ada4f485685897d1582a02110fb67d_JaffaCakes118.exe
    Filesize

    133KB

    MD5

    86e3987da231623cbbcd5a4b1b7e9703

    SHA1

    35b7fbd24b1c65467ec303b2e46df433dc7645d9

    SHA256

    bf12c8291717b5d682da60e691643437d9fbb3a6dc215b40eaefb48b60a686aa

    SHA512

    405321fa8aa7076a6b74a818cc9ddc2578fc46527ed4a0943b962fc104db58855cd8e0f4bc7adad23bd20ade77be2d11ab89ceb1a37d4312719a1f75cc30f828

    Download Submit

  • memory/1796-23-0x0000000000150000-0x0000000000171000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1796-113-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-0-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-15-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2192-13-0x0000000000320000-0x00000000003A6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-2-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2192-1-0x00000000002F0000-0x0000000000311000-memory.dmp

    Filesize

    132KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.