Analysis

  • max time kernel
    93s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 06:11 UTC

General

  • Target

    488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    488e22d7fefe8ac231d2da624ad96498

  • SHA1

    c3ae5927011b05ffab8f621b39ef82402754181d

  • SHA256

    d32b094a2764078bf688d43a4fb94d237c2df90c5dd522ea74c95e19adc46e4f

  • SHA512

    12feed704854f45bd036236f058caa50bec6bed4f2f822bd6d0f59ebf76c9b24d4af78406159a800828155993cf02201d65b1168d4958ee59966e4731aadcc1d

  • SSDEEP

    98304:2DrVIXQGHHmg/HoHoxCQ8b/ahNlkQuyPgIhgp0wTA:OIXnjvoHo8QkahNSQucxupzk

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe
      "C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe" -p"09:03 PM" -y -o"C:\Users\Admin\AppData\Roaming\Security Monitor 12"
      2⤵
      • Executes dropped EXE
      PID:1264
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 884
      2⤵
      • Program crash
      PID:1276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3572 -ip 3572
    1⤵
      PID:1100

    Network

    • flag-us
      DNS
      1721023901.net-testhdd.us
      488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      1721023901.net-testhdd.us
      IN TXT
      Response
    • flag-us
      DNS
      1721023901.net-testhdd.us
      488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      1721023901.net-testhdd.us
      IN TXT
      Response
    • flag-us
      DNS
      17.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      147.142.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      147.142.123.92.in-addr.arpa
      IN PTR
      Response
      147.142.123.92.in-addr.arpa
      IN PTR
      a92-123-142-147deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      1721023901.net-testhdd.us
      dns
      488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
      71 B
      134 B
      1
      1

      DNS Request

      1721023901.net-testhdd.us

    • 8.8.8.8:53
      1721023901.net-testhdd.us
      dns
      488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
      71 B
      134 B
      1
      1

      DNS Request

      1721023901.net-testhdd.us

    • 8.8.8.8:53
      17.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      17.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      147.142.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      147.142.123.92.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      140 B
      133 B
      2
      1

      DNS Request

      73.144.22.2.in-addr.arpa

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe

      Filesize

      2.7MB

      MD5

      45f906b15c0a53a1688e792fa9f05d5e

      SHA1

      e3651d7c78869bdd686adab9277b479fa275f72b

      SHA256

      55cf03c9d94c6c4ca06f994ff63ced67cce69656ca6805632ab213d4e508ba9c

      SHA512

      d93b751be6c92f69efb363079e259fe10691545ad4b02ac39028bfc185bf698b17aef98722980b1bc5de0f45d8172b242bb5729bcc65217d559cb7c1c8452169

    • memory/3572-0-0x0000000002C80000-0x0000000003055000-memory.dmp

      Filesize

      3.8MB

    • memory/3572-1-0x0000000000400000-0x0000000000BB6000-memory.dmp

      Filesize

      7.7MB

    • memory/3572-3-0x0000000000401000-0x00000000005C6000-memory.dmp

      Filesize

      1.8MB

    • memory/3572-2-0x0000000001010000-0x0000000001011000-memory.dmp

      Filesize

      4KB

    • memory/3572-23-0x0000000000401000-0x00000000005C6000-memory.dmp

      Filesize

      1.8MB

    • memory/3572-22-0x0000000002C80000-0x0000000003055000-memory.dmp

      Filesize

      3.8MB

    • memory/3572-21-0x0000000000400000-0x0000000000BB6000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.