Analysis
-
max time kernel
149s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 03:50
Behavioral task
behavioral1
Sample
7b265e33408651503993728ef02b990d_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7b265e33408651503993728ef02b990d_JaffaCakes118.exe
-
Size
436KB
-
MD5
7b265e33408651503993728ef02b990d
-
SHA1
e04b5c90c5fd84b42d279ad6ad487f3f6246219d
-
SHA256
4424fa680a988afb5defe2afc22eb4b2d367823de222d0708502c957e4e0d1ed
-
SHA512
d7f1817f4cde6e0b8e73549e085cbb2ad2d956afa3bf81b78fe0d493fa5760ce00ebbf0d5bf91688fce37d6f72989406e183ce1bf275a96001a45669874ec8c8
-
SSDEEP
6144:2zU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtsvFwfMHAXj:4U7M5ijWh0XOW4sEfeOSJHAz
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\xygow.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2736 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
vaety.exexygow.exepid process 2424 vaety.exe 2196 xygow.exe -
Loads dropped DLL 3 IoCs
Processes:
7b265e33408651503993728ef02b990d_JaffaCakes118.exevaety.exepid process 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe 2424 vaety.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vaety.execmd.exexygow.exe7b265e33408651503993728ef02b990d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaety.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xygow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b265e33408651503993728ef02b990d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
xygow.exepid process 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe 2196 xygow.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7b265e33408651503993728ef02b990d_JaffaCakes118.exevaety.exedescription pid process target process PID 3012 wrote to memory of 2424 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe vaety.exe PID 3012 wrote to memory of 2424 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe vaety.exe PID 3012 wrote to memory of 2424 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe vaety.exe PID 3012 wrote to memory of 2424 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe vaety.exe PID 3012 wrote to memory of 2736 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 2736 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 2736 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 2736 3012 7b265e33408651503993728ef02b990d_JaffaCakes118.exe cmd.exe PID 2424 wrote to memory of 2196 2424 vaety.exe xygow.exe PID 2424 wrote to memory of 2196 2424 vaety.exe xygow.exe PID 2424 wrote to memory of 2196 2424 vaety.exe xygow.exe PID 2424 wrote to memory of 2196 2424 vaety.exe xygow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\vaety.exe"C:\Users\Admin\AppData\Local\Temp\vaety.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\xygow.exe"C:\Users\Admin\AppData\Local\Temp\xygow.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD516c800767fa0b88587402e883ff60426
SHA1b82215a563de8c85af9f9acb2566cf9695b5bafa
SHA256d83b393b3ff1b8e84c7348f9f1e5a147145fea1af6a7c9ab4659799358974d1f
SHA5121517df0b00992237d755be140bf0d80912792fe9deda0fa33cd321a73e1808bf61586d3472c7dadb470f61e9608038448c2ff621eedc3ea16b403bec20faaf35
-
Filesize
512B
MD549f667c12c0cdd6b440ed9afb05f80b1
SHA14a1c69ee30fc95e143fe471ac582edb6b678f914
SHA256ed798e35bfaa4ff0d2077fc7fa03544ad3e6899b8696f71d17d8e6f88e982fbb
SHA512324e9dbc4964d0cf3f45b51e1757fc0f9c6d700473234c31c2eefce7ce5c39471c4a8b970af29727fa54e53cf6be5c6fa26f712f81eb2fed7d8bbc9ab8e722be
-
Filesize
436KB
MD5a83b31f62ae8f5b29a33b63c84fcc693
SHA1c87c4efb643e2f5261c71405d85215e804cedec2
SHA256ace7adc9616be32a4f8162a3c7604cae021200ee1f3b217449e6bcaf6c1c0f27
SHA51247c123f4d9b33ef98ad4022f17f46522821d2996ecaea43e41e1207ee4521663c6122ab2fbe05d01d43831d328d63c9573220899174054e1085f1b48d650ac3b
-
Filesize
212KB
MD578ca289fb4a9fc8abb931cd989e34c2e
SHA16ac1041b7a1347c0f562bffa3257302c8dca6288
SHA25601066a77d9a5341ce548f2e941c42d8a41c586e935537621998283e4142b8102
SHA51253e05f66c40ab0dc5f1f4b2422adb62cffdb083ea313f937bd18eb54c452a8bc7bc87b1ec7d9616300ad273aae4c160095e45b0eebb4f7b9a6d33090fc4d18ff