Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 21:07 UTC

General

  • Target

    31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    31f9df1458239be365b6dfba522d4cca

  • SHA1

    4ec899810aeb5729aa5c2b10992c487851477f60

  • SHA256

    c1c9e703e13fd8c4bb6f92d56adada2b8850edc0e83758daa2e7788256c7631c

  • SHA512

    92d9b9d0d96bf01d816d91ffef4182aac5ba259ccabbaf4f4a7f78fd7064f8f4ad1f4439248a314ef29d946e2bee20800fa01a0be958247613d0ab82dbd161b6

  • SSDEEP

    49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rL:o7AEvgVOy29Ls3JslVYzjMO26iu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp" /SL5="$D0150,2280122,153088,C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe
        "C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="13.rar" /fid= /stats=1POL1UzUZT+dFYvM/hhRwR7ny+2z3tGBkReVEOPv4MrNQa3TpF29AxS5gP04SMEsOWQ9kUNTLJzUoDoYgd0cgg== /param=0
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2700

Network

  • flag-us
    DNS
    1.list.fullmedialibrary.com
    WMF.exe
    Remote address:
    8.8.8.8:53
    Request
    1.list.fullmedialibrary.com
    IN A
    Response
  • flag-us
    DNS
    mfapi.com
    WMF.exe
    Remote address:
    8.8.8.8:53
    Request
    mfapi.com
    IN A
    Response
    mfapi.com
    IN A
    173.255.194.134
    mfapi.com
    IN A
    198.58.118.167
    mfapi.com
    IN A
    45.33.23.183
    mfapi.com
    IN A
    72.14.185.43
    mfapi.com
    IN A
    45.33.30.197
    mfapi.com
    IN A
    45.33.18.44
    mfapi.com
    IN A
    45.79.19.196
    mfapi.com
    IN A
    45.56.79.23
    mfapi.com
    IN A
    96.126.123.244
    mfapi.com
    IN A
    45.33.20.235
    mfapi.com
    IN A
    45.33.2.79
    mfapi.com
    IN A
    72.14.178.174
  • flag-us
    GET
    http://mfapi.com/?action=log&category=MF_micro_install&event=MicroInstaller&label=Start
    WMF.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /?action=log&category=MF_micro_install&event=MicroInstaller&label=Start HTTP/1.0
    Host: mfapi.com
    Keep-Alive: 300
    Connection: keep-alive
    User-Agent: MicroInstaller
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Tue, 09 Jul 2024 21:28:59 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • 173.255.194.134:80
    http://mfapi.com/?action=log&category=MF_micro_install&event=MicroInstaller&label=Start
    http
    WMF.exe
    496 B
    529 B
    7
    4

    HTTP Request

    GET http://mfapi.com/?action=log&category=MF_micro_install&event=MicroInstaller&label=Start

    HTTP Response

    403
  • 8.8.8.8:53
    1.list.fullmedialibrary.com
    dns
    WMF.exe
    73 B
    146 B
    1
    1

    DNS Request

    1.list.fullmedialibrary.com

  • 8.8.8.8:53
    mfapi.com
    dns
    WMF.exe
    55 B
    247 B
    1
    1

    DNS Request

    mfapi.com

    DNS Response

    173.255.194.134
    198.58.118.167
    45.33.23.183
    72.14.185.43
    45.33.30.197
    45.33.18.44
    45.79.19.196
    45.56.79.23
    96.126.123.244
    45.33.20.235
    45.33.2.79
    72.14.178.174

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\default.xml

    Filesize

    2KB

    MD5

    4c219b78a305d3e52c811542154bb224

    SHA1

    7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

    SHA256

    a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

    SHA512

    bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

  • \Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe

    Filesize

    3.3MB

    MD5

    665ecaa9b05b183eceb5fa566240b673

    SHA1

    8b115b8053905c20c14fe079695341345d2438a1

    SHA256

    7da8e667bed83fe17f75f2836230e59e7d7c52ec9e45269f6c7a738446823932

    SHA512

    56abfe393d84c244396be52843fbf31cbe10934674f60f8fe5a1ded4944f26aafd56b19f1be02e4de2dc2ee4e7e51d436351a86519f11a399ac483eb34e5c072

  • \Users\Admin\AppData\Local\Temp\is-431PG.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp

    Filesize

    1.1MB

    MD5

    8811a0652c18dbcf68955f99df537eb8

    SHA1

    70cff6c43c0f873295dc085018639dff02f33012

    SHA256

    d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

    SHA512

    ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

  • memory/320-10-0x0000000000400000-0x0000000000529000-memory.dmp

    Filesize

    1.2MB

  • memory/320-41-0x0000000000400000-0x0000000000529000-memory.dmp

    Filesize

    1.2MB

  • memory/2700-38-0x0000000000400000-0x00000000007E2000-memory.dmp

    Filesize

    3.9MB

  • memory/2700-42-0x0000000000400000-0x00000000007E2000-memory.dmp

    Filesize

    3.9MB

  • memory/2976-3-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

  • memory/2976-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2976-40-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.