Analysis
-
max time kernel
149s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 23:35
Behavioral task
behavioral1
Sample
822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe
-
Size
557KB
-
MD5
822db89c7caafdeab59a80d8afedb6a0
-
SHA1
b345cf37f3a318649a2c9852ebc813e7b1e69271
-
SHA256
206a904b547eec8a102559b437b3359c77e5c8a9f3eb22abb062dba272f58cd3
-
SHA512
cebad1b358a7c4d7f39534c1e1807b27ce9aea546424ddd1d0389ea6254cecdd4d698fd945cb9cb7e5cf08e9c4853b356af78972b633ff28af69b1e771b1a500
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyb:znPfQp9L3olqFb
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2156 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
daivh.exexifiy.exepid process 2336 daivh.exe 2452 xifiy.exe -
Loads dropped DLL 2 IoCs
Processes:
822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exedaivh.exepid process 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe 2336 daivh.exe -
Processes:
resource yara_rule behavioral1/memory/2128-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\daivh.exe upx behavioral1/memory/2336-17-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2128-18-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2336-21-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2336-27-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
daivh.execmd.exexifiy.exe822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daivh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xifiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
xifiy.exepid process 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe 2452 xifiy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exedaivh.exedescription pid process target process PID 2128 wrote to memory of 2336 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe daivh.exe PID 2128 wrote to memory of 2336 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe daivh.exe PID 2128 wrote to memory of 2336 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe daivh.exe PID 2128 wrote to memory of 2336 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe daivh.exe PID 2128 wrote to memory of 2156 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe cmd.exe PID 2128 wrote to memory of 2156 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe cmd.exe PID 2128 wrote to memory of 2156 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe cmd.exe PID 2128 wrote to memory of 2156 2128 822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe cmd.exe PID 2336 wrote to memory of 2452 2336 daivh.exe xifiy.exe PID 2336 wrote to memory of 2452 2336 daivh.exe xifiy.exe PID 2336 wrote to memory of 2452 2336 daivh.exe xifiy.exe PID 2336 wrote to memory of 2452 2336 daivh.exe xifiy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\822db89c7caafdeab59a80d8afedb6a0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\daivh.exe"C:\Users\Admin\AppData\Local\Temp\daivh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\xifiy.exe"C:\Users\Admin\AppData\Local\Temp\xifiy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD544fed0c3b4f1dca994cc3c29b1379611
SHA120cc5a4064b019e1dc84d18f1ec490911059f128
SHA25687e7c5356c17415ec5c45c665ce57e332e06247cf9fce1b4f837b6ffb3cca22e
SHA512dd7e1f318571f9441d7609ba1539a7d4b8fa3ac0c1ba94a9a4f2e973cca3e2ef4a11d19d90d72c9aa61f4a4a768fc09a7988d7d2e0e34080945e98b03030dfe8
-
Filesize
557KB
MD50404e95e1b385986778da8ae08446553
SHA17167d360eb4063e0c12de74bdb7cdb9015758b49
SHA2562d634cf7f668c049fdeaad48cea63bd0c95c0841c3366cef3f3b843172fb890a
SHA512a4288224e834c61db39070016357299a8279c63e63a26890261ac0455151ae2c899bad9ee6665716722d0efe8b50ad6856e5b34d78721d3d8069848b0546a6df
-
Filesize
512B
MD5c8c91bd7d3165cd4a5a028e3a6fe7688
SHA176dd9eb03c1c71a2bf421ef2764e379b6270ee16
SHA256afad2d6cc3587e99c8fa9ffd6ad6daed5091f84386ea213928068416d5d75a03
SHA512d0dd389d7642a3e1c05956d269a2021b7df56fe60a0a0dad67af5840adb7b303fc4acbd45c7d5f5378844d5b3db736785dc02783cbc5fdc2638222717eabdca3
-
Filesize
194KB
MD56d5975857becd4eccdd1b0a26906bafb
SHA1008947d10d39d463e2d2f2bddcbc1fd43ab3afd9
SHA256fc2ef65bd314c315adfa66046ddddba24ef0017f6424cd2b333485e376e52c8f
SHA512ce27f1ecbaca7b5fb9af2d1b3426abc039eb962ec1e9e4412f337016cb7ad309fb945b28164bfd458200c3a4887d0e67d00623d78d10c058b69aba58c36f613a