Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 15:11
Behavioral task
behavioral1
Sample
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe
-
Size
348KB
-
MD5
80f81d74d457c942e265a5853eac035e
-
SHA1
bac98bdefce7d0ea78847708c118725efd00bd52
-
SHA256
ef61c13c329ad94a3c49ff59a9e16a83fdb7f5b5de7a87731af72ff99d1cb3ae
-
SHA512
25c0271362a96a080104cbfcc415298dff435dba5a985ec355c4d202c8069cf7ddcccc16e883e860339c353592d62f0670548c56959295a9223d34bcfbe813eb
-
SSDEEP
6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ1:A0G5obGGraOpUWlpa
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2068 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
laryc.exeloxony.exeynmif.exepid process 2528 laryc.exe 2896 loxony.exe 1704 ynmif.exe -
Loads dropped DLL 6 IoCs
Processes:
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exelaryc.exeloxony.exepid process 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe 2528 laryc.exe 2528 laryc.exe 2896 loxony.exe 2896 loxony.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exelaryc.exeloxony.execmd.exeynmif.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language laryc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loxony.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ynmif.exepid process 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe 1704 ynmif.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exelaryc.exeloxony.exedescription pid process target process PID 3016 wrote to memory of 2528 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe laryc.exe PID 3016 wrote to memory of 2528 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe laryc.exe PID 3016 wrote to memory of 2528 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe laryc.exe PID 3016 wrote to memory of 2528 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe laryc.exe PID 3016 wrote to memory of 2068 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2068 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2068 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2068 3016 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 2528 wrote to memory of 2896 2528 laryc.exe loxony.exe PID 2528 wrote to memory of 2896 2528 laryc.exe loxony.exe PID 2528 wrote to memory of 2896 2528 laryc.exe loxony.exe PID 2528 wrote to memory of 2896 2528 laryc.exe loxony.exe PID 2896 wrote to memory of 1704 2896 loxony.exe ynmif.exe PID 2896 wrote to memory of 1704 2896 loxony.exe ynmif.exe PID 2896 wrote to memory of 1704 2896 loxony.exe ynmif.exe PID 2896 wrote to memory of 1704 2896 loxony.exe ynmif.exe PID 2896 wrote to memory of 692 2896 loxony.exe cmd.exe PID 2896 wrote to memory of 692 2896 loxony.exe cmd.exe PID 2896 wrote to memory of 692 2896 loxony.exe cmd.exe PID 2896 wrote to memory of 692 2896 loxony.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\laryc.exe"C:\Users\Admin\AppData\Local\Temp\laryc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\loxony.exe"C:\Users\Admin\AppData\Local\Temp\loxony.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\ynmif.exe"C:\Users\Admin\AppData\Local\Temp\ynmif.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:692
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD547f5f200f3e78591ff0c50a873215f2d
SHA169d23d45e950ffe81c5d2b44fd34cdcbb6dd5e3f
SHA2566645fb979ad2e03f843c3531cb5462bd44860ff6240bff6f61803ed95f002115
SHA512aa810d18fa0dc3fbce38cdbf32ed15a7a0e7c8f00592f45d5fc88e88ad2aff1debeceb537e44380d67882d822dc1cb5b4c3bfd132c71680c323a187582dcb8d0
-
Filesize
224B
MD570de57ca928f46226e571c5666d379be
SHA1bfe14359bcd781ae68997cdcc485e1f92e997b26
SHA25611a41402a05357928bf3e69ce9ccd6e257413caba26827e6c72323d8bac842aa
SHA512d565762be3c32cef29150ea25974e87131be48372e46a5e3ac62f38fc900677e4d9d537f0c5dc84788f1d540bd2713950d748b8ae0f0b37d2909911a1cbff132
-
Filesize
512B
MD593d1c8d116115dc5f9feba8bd3eb8605
SHA116c1397fb352a557118aba27e9927fdd7741f08f
SHA2561f58f63cdec92450ee4bd90025b166f0f0b91e0aa3d63da2460f06b1e97ddb0a
SHA51228babed5a3a24bc02aca74f54b826ffd11170846d3b0fd6b88415bb59336481dd482f2ae1524e3a7f8acb50331bb509db218a7cf3e337709e68466d456030137
-
Filesize
348KB
MD5373346bc6b19ff26c4a48009a8632722
SHA176ffbb430c13a0baf84bf57c3c826d496ef81d13
SHA256433b0855c44f8a288e68db02179b8fd20020d5f9014b3d515e0bc95d812f02e8
SHA512250e2cd091dfb6f8ffd77e9eac1057ce9ecf1e5e6096ad38a60ccf93e6df00eb506076e09a8707d3ec8e70b835ca2a3b2ce65c7c4b9b1fcc23066d2c9fb6e9da
-
Filesize
115KB
MD55590b49cfdd63901bd157d5943524a06
SHA1537cf14d7c4f42dcfbca03b1af68bc511522dbf3
SHA25678791e00e39f19f21d7a4835133d66e13b925d5ccc4de1d1080d3ee3a969064f
SHA512ac19e58c269f69d84689e1a76c9cbb0f00459d9c2a4e72ff97235fdd28038c089b0212d904e6db1d679caf69e0f816e2fcb6ef7aa3927f9259db8d7e669ee660