Overview

overview

10

Static

static

1

7d8f0a5335...18.exe

windows7-x64

10

7d8f0a5335...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/07/2024, 18:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe

  • Size

    577KB

  • MD5

    7d8f0a53352c9188acef922dbecfa588

  • SHA1

    dc6115bdc6d63f476203e54e40cb35df72d4014d

  • SHA256

    e12b58b042e361d227d4cc3e60e5b5c8ef49c7f70c306d1159c71a7eb335f5cd

  • SHA512

    6dd3b5d633344f0ee5d59589c28f45ab3647c5d41da27fe39f3025b826b2043a4fc094862762d4080d6546acac4996d25484501b09dc18da597dfb42e6600fa6

  • SSDEEP

    12288:TCLIa6MfgkSnojUbPYLAwiw7gku+uFvTBMrKr:uLI8LLAwxgr7r

Score
10/10
buerdiscoveryexecutionloader

Malware Config

Extracted

Family

buer

C2

https://178.62.46.155/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\a48cf94fa46ee8a8cca4}"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:728

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1D8621D4C576699031143519C49668DD; domain=.bing.com; expires=Mon, 25-Aug-2025 18:58:33 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FECA908EAE054CFF84012BF5A7FD069E Ref B: LON04EDGE1222 Ref C: 2024-07-31T18:58:33Z
    date: Wed, 31 Jul 2024 18:58:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1D8621D4C576699031143519C49668DD
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=1rzMSy7XTA2AVPP8dNtD3Ft3udtjSbX2V8o8ALrhHs8; domain=.bing.com; expires=Mon, 25-Aug-2025 18:58:33 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E7BEBA5BAEE0430CAF8E6F1DAD9F67E6 Ref B: LON04EDGE1222 Ref C: 2024-07-31T18:58:33Z
    date: Wed, 31 Jul 2024 18:58:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1D8621D4C576699031143519C49668DD; MSPTC=1rzMSy7XTA2AVPP8dNtD3Ft3udtjSbX2V8o8ALrhHs8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8D54CE305F3A43DBA39A3B3CBCB9B8E4 Ref B: LON04EDGE1222 Ref C: 2024-07-31T18:58:33Z
    date: Wed, 31 Jul 2024 18:58:33 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    96.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.136.73.23.in-addr.arpa
    IN PTR
    Response
    96.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-96deploystaticakamaitechnologiescom
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.58.20.217.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=431c63f21c2447488bb794fb7c44c118&localId=w:A7EAB51C-2836-41B1-3F50-422845C778B6&deviceId=6825833428436991&anid=

    HTTP Response

    204
  • 178.62.46.155:443
    7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe
    260 B
     5
  • 178.62.46.155:443
    7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe
    260 B
     5
  • 178.62.46.155:443
    7d8f0a53352c9188acef922dbecfa588_JaffaCakes118.exe
    260 B
     5
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    96.136.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    96.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    98.58.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    98.58.20.217.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt401bvl.cf0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/688-0-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/688-7-0x00000000004F0000-0x00000000004FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/688-4-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/728-27-0x00000000069D0000-0x0000000006A1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/728-28-0x0000000006F00000-0x0000000006F32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/728-10-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/728-12-0x0000000005A70000-0x0000000005A92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/728-15-0x00000000062E0000-0x0000000006346000-memory.dmp

    Filesize

    408KB

    Download

  • memory/728-14-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/728-13-0x0000000006270000-0x00000000062D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/728-9-0x0000000002FF0000-0x0000000003026000-memory.dmp

    Filesize

    216KB

    Download

  • memory/728-21-0x0000000006350000-0x00000000066A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/728-26-0x0000000006940000-0x000000000695E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/728-8-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-30-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/728-29-0x0000000070890000-0x00000000708DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/728-11-0x0000000005B50000-0x0000000006178000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/728-40-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/728-41-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/728-42-0x0000000007930000-0x00000000079D3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/728-43-0x00000000082A0000-0x000000000891A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/728-44-0x0000000007C60000-0x0000000007C7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/728-45-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/728-46-0x0000000007EE0000-0x0000000007F76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/728-47-0x0000000007E60000-0x0000000007E71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/728-48-0x0000000007E90000-0x0000000007E9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/728-49-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/728-50-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/728-51-0x0000000007F80000-0x0000000007F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/728-54-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.