1472780b22a70f13e6aec3ffd06fc9714748841f9f88c3c3b743d247d9711d68

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 05:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe
Size

696KB
MD5

24bd3998edbc7549f50201cce7b9a11c
SHA1

713f191a4b99967af3c019765931a9624fdc8830
SHA256

1472780b22a70f13e6aec3ffd06fc9714748841f9f88c3c3b743d247d9711d68
SHA512

ca1adc1f5a27711442187e7032c1e1bee8d4c56313531dce2f2de817b4d3ddb31d7ed05a2ba4edba41ff1bcd30c15501a3f4468419b8179631d47fdcfe2eec03
SSDEEP

12288:IF9COQM7p6I76cLkjTisIessEnq9+uJ7zk+nG8R5+YIHf8pw5a4EcseV:yxrYBfhcnq3JhG8RobEpcaTi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2180	CheckVer104.exe
4356	regver.exe

Loads dropped DLL 3 IoCs

pid	Process
2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe
2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe
2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4356	regver.exe
4356	regver.exe
2180	CheckVer104.exe
2180	CheckVer104.exe
4356	regver.exe
4356	regver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4356	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	82
PID 2404 wrote to memory of 4356	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	82
PID 2404 wrote to memory of 4356	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	82
PID 2404 wrote to memory of 2180	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	81
PID 2404 wrote to memory of 2180	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	81
PID 2404 wrote to memory of 2180	2404	24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24bd3998edbc7549f50201cce7b9a11c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Users\Admin\AppData\Local\TempImg\regver.exe
  C:\Users\Admin\AppData\Local\TempImg\regver.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4356

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

www.app-zilla.com

regver.exe

Remote address:

8.8.8.8:53

Request

www.app-zilla.com

IN A

Response

www.app-zilla.com

IN CNAME

traff-6.hugedomains.com

traff-6.hugedomains.com

IN CNAME

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

IN A

18.119.154.66

hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com

IN A

3.140.13.188
GET

http://www.app-zilla.com/register_install_ppd.php

regver.exe

Remote address:

18.119.154.66:80

Request

GET /register_install_ppd.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.app-zilla.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Thu, 04 Jul 2024 05:09:58 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=app-zilla.com
DNS

www.hugedomains.com

regver.exe

Remote address:

8.8.8.8:53

Request

www.hugedomains.com

IN A

Response

www.hugedomains.com

IN A

172.67.70.191

www.hugedomains.com

IN A

104.26.6.37

www.hugedomains.com

IN A

104.26.7.37
GET

https://www.hugedomains.com/domain_profile.cfm?d=app-zilla.com

regver.exe

Remote address:

172.67.70.191:443

Request

GET /domain_profile.cfm?d=app-zilla.com HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: www.hugedomains.com

Response

HTTP/1.1 200 OK

Date: Thu, 04 Jul 2024 05:09:59 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Sun, 29-Jun-2025 05:09:59 GMT; path=/
set-cookie: site_version=HDv3; expires=Sun, 29-Jun-2025 05:09:59 GMT; path=/
set-cookie: captcha-tracker=; expires=Wed, 03-Jul-2024 05:09:59 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uxBBFep7DLs36NA3TOZMlm8UQmobGMl%2FX0LVwPg8ZMv0%2FnA8T%2FbkGy9Yqtpk6T4zjq%2FV8lHRHdsdRyxLPyY58AzRcZGMKjf5lHft8vRbaau9kH%2F6dQYlOhenong5%2F3mGbpclJqM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89dc9b364f2079b9-LHR
Content-Encoding: gzip
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

66.154.119.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.154.119.18.in-addr.arpa

IN PTR

Response

66.154.119.18.in-addr.arpa

IN PTR

ec2-18-119-154-66 us-east-2compute amazonawscom
DNS

67.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.169.217.172.in-addr.arpa

IN PTR

Response

67.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f31e100net
DNS

191.70.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.70.67.172.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

174.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.117.168.52.in-addr.arpa

IN PTR

Response

18.119.154.66:80

http://www.app-zilla.com/register_install_ppd.php

http

regver.exe

665 B
284 B
5
3

HTTP Request

GET http://www.app-zilla.com/register_install_ppd.php

HTTP Response

302
172.67.70.191:443

https://www.hugedomains.com/domain_profile.cfm?d=app-zilla.com

tls, http

regver.exe

1.4kB
9.3kB
15
13

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=app-zilla.com

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

www.app-zilla.com

dns

regver.exe

63 B
194 B
1
1

DNS Request

www.app-zilla.com

DNS Response

18.119.154.66

3.140.13.188
8.8.8.8:53

www.hugedomains.com

dns

regver.exe

65 B
113 B
1
1

DNS Request

www.hugedomains.com

DNS Response

172.67.70.191

104.26.6.37

104.26.7.37
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

66.154.119.18.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

66.154.119.18.in-addr.arpa
8.8.8.8:53

67.169.217.172.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.169.217.172.in-addr.arpa
8.8.8.8:53

191.70.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

191.70.67.172.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

174.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

174.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe

Filesize
332KB

MD5
fa199dffc4991a36725e1a2d272e787e

SHA1
68c1db76a8080782e3f450e3f724e4e1564b18f6

SHA256
13c8453cb118d3f9d2dc2a1189633ab10162f902758320487f03daf124c4bb9e

SHA512
8dc6a2369dc87148ac45cd6ae37f33fcb32c4fd863d17f6166a41c7a4ef40edd6a4da0f57536f382e550add791bf678a5116e0f1cb440649be1b924c3a31a520

Download Submit
C:\Users\Admin\AppData\Local\TempImg\regver.exe

Filesize
290KB

MD5
9181b183dd3096301e7211ed0312de8a

SHA1
0c321747b581ad79da70dc9aab183cc12c3bbefd

SHA256
202fcecc53f1ffd2d1d85cc4cc79a24ae37285ce564e15615b5d13ca69487968

SHA512
5316e0511746c75603ba02eaf79b9aafbb29356f94279f466d3f17e9894082f14cf052ca3b8f52a149815e8c9b58f5d4b02ef1dcc3d677dc27032480f788adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4806.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4806.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.