Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
-
Size
108KB
-
MD5
9fbdc223fd2933fac5a9bb801f59c6b1
-
SHA1
fca37e0fa1a54f97d6c02609a49acc291b454cc6
-
SHA256
28bc76580c4dccb7ec8fbfe82e6a0f094627556217650dcfcf80a7291a0fceaa
-
SHA512
dd356c7047fdc1862c8cdae109c4ea234021f9be2520c41075571400e74e38a3775a4afbda7b14f08e608129ecca77325e6ee59b20e67271ed04c9441ca10013
-
SSDEEP
3072:pUX+caOwfR3qvW3ouQ/JLfIrjpvQ7qSMf8MfZG:pUX+cy3qvJuoLgKiEM
Malware Config
Extracted
latentbot
insomniaftw.zapto.org
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
NUKrmnlqb.exeqwrtaw5.exepid Process 1760 NUKrmnlqb.exe 2424 qwrtaw5.exe -
Loads dropped DLL 4 IoCs
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exepid Process 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 1760 NUKrmnlqb.exe 1760 NUKrmnlqb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
qwrtaw5.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\ProgramData\\qwrtaw5.exe" qwrtaw5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exeqwrtaw5.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NUKrmnlqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qwrtaw5.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
NUKrmnlqb.exeqwrtaw5.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 NUKrmnlqb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier NUKrmnlqb.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 qwrtaw5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier qwrtaw5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NUKrmnlqb.exeqwrtaw5.exedescription pid Process Token: SeDebugPrivilege 1760 NUKrmnlqb.exe Token: SeDebugPrivilege 2424 qwrtaw5.exe Token: SeDebugPrivilege 2424 qwrtaw5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exedescription pid Process procid_target PID 2232 wrote to memory of 1760 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1760 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1760 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1760 2232 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 28 PID 1760 wrote to memory of 2424 1760 NUKrmnlqb.exe 29 PID 1760 wrote to memory of 2424 1760 NUKrmnlqb.exe 29 PID 1760 wrote to memory of 2424 1760 NUKrmnlqb.exe 29 PID 1760 wrote to memory of 2424 1760 NUKrmnlqb.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\NUKrmnlqb.exe"C:\Users\Admin\AppData\Local\Temp\NUKrmnlqb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\ProgramData\qwrtaw5.exe"C:\ProgramData\qwrtaw5.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
92KB
MD560c9bb7c8e43d4c826aa2966929c011e
SHA199c2727b79626e03b477c4170fb754dcfe3570ee
SHA2565874407a974b12892e668665f0f9c2ceb6fd8ddcf64df6b0649ccde59207c48d
SHA512eafa7b6a837b54d04cc6f0ecf2326be17dd2a464c3832f1fd0f891178c1f67d1fa36bacf496cee60e64308108420c8c358d01f32b7474b6381122bdbf484366f