Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 09:56

General

  • Target

    3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    3ce6e5720ab4610bb462ce58fe76e57c

  • SHA1

    ce7ba66b8d45b70237a3068a2038b40234c1de30

  • SHA256

    fba0947126aa9510732433e1b123de6b2e83a6d8b58ad6a25c2b733e8bb9e3b4

  • SHA512

    b270ff0b2039e8b64b5f646d2a436e06d2cd7b14781c3fec6234c131548b2dd97911b26ecc4b7d5830722a319e15bbc8f3f9cf2f732b4723877df49bc9208a7b

  • SSDEEP

    1536:8J7BjaqfcaIPaYcH8qJCDXL6+MoG7jM8XQQrHdA0WiCWROvN3rqUuznlCl:wjJIPaYccvQV735rHdAQVyNbMz4

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Gkz..bat" > nul 2> nul
      2⤵
        PID:5032

    Network

    • flag-us
      DNS
      clickbank.com
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      clickbank.com
      IN A
      Response
      clickbank.com
      IN A
      35.237.37.107
    • flag-us
      DNS
      xinhuanet.com
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      xinhuanet.com
      IN A
      Response
      xinhuanet.com
      IN CNAME
      xinhuanet.com.bsgslb.cn
      xinhuanet.com.bsgslb.cn
      IN CNAME
      zgovweb.v.bsgslb.cn
      zgovweb.v.bsgslb.cn
      IN A
      104.166.169.130
      zgovweb.v.bsgslb.cn
      IN A
      104.166.169.132
      zgovweb.v.bsgslb.cn
      IN A
      38.175.44.11
      zgovweb.v.bsgslb.cn
      IN A
      38.175.44.12
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      purelandfilms.in
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      purelandfilms.in
      IN A
      Response
    • flag-us
      DNS
      oomiaonline.in
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      oomiaonline.in
      IN A
      Response
    • flag-us
      DNS
      22.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      clickbank.com
      dns
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      59 B
      75 B
      1
      1

      DNS Request

      clickbank.com

      DNS Response

      35.237.37.107

    • 8.8.8.8:53
      xinhuanet.com
      dns
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      59 B
      184 B
      1
      1

      DNS Request

      xinhuanet.com

      DNS Response

      104.166.169.130
      104.166.169.132
      38.175.44.11
      38.175.44.12

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      purelandfilms.in
      dns
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      62 B
      115 B
      1
      1

      DNS Request

      purelandfilms.in

    • 8.8.8.8:53
      oomiaonline.in
      dns
      3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
      60 B
      113 B
      1
      1

      DNS Request

      oomiaonline.in

    • 8.8.8.8:53
      22.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      22.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Gkz..bat

      Filesize

      238B

      MD5

      b07d45a94b10c60177d9fc88bafa479b

      SHA1

      1eeace587721f3f17315b047175a99201ace54a3

      SHA256

      11aad2488bd3189af444300c5ad26a461e664d6ab32a6aed01f685590a9d1829

      SHA512

      5d085bfb07d62cefda319b736b80c1b3437dc6a6fdc4dd465e30155d92607609c75dd53a0cfa490d8b9c58bdbe54da6dcfadf37010bbfeb49e8c7de8770fb78f

    • memory/2680-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2680-1-0x00000000009E0000-0x00000000009E1000-memory.dmp

      Filesize

      4KB

    • memory/2680-2-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2680-4-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2680-3-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2680-6-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.