Overview

overview

7

Static

static

1

b821af9180...18.exe

windows7-x64

7

b821af9180...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 15:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    b821af91801eb778f6ca1bdc67df042b

  • SHA1

    3dd3ad700423bc0857df311ead7606b18857c5b4

  • SHA256

    9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626

  • SHA512

    b16b686502b3d32116c086563d6efcd1818a65d0a6b4ca8e95dceb6edcea99ed21ffdc46a31d2494c65016e2fbfb7819361f5f4c71462a8f0df346da08bb1d8f

  • SSDEEP

    6144:7VdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b3y:7VdR16TBUJKVgk4jhGmy

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2740
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2604
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2924
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2052
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2304
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1540
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:992

Network

  • flag-us
    DNS
    www.premiumsoft.info
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.premiumsoft.info
    IN A
    Response
    www.premiumsoft.info
    IN A
    84.32.84.33
  • flag-lt
    GET
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    84.32.84.33:80
    Request
    GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1 HTTP/1.1
    Accept: */*
    Host: www.premiumsoft.info
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: hcdn
    Date: Thu, 22 Aug 2024 15:16:43 GMT
    Content-Type: text/html
    Content-Length: 10932
    Connection: close
    Vary: Accept-Encoding
    alt-svc: h3=":443"; ma=86400
    x-hcdn-request-id: 0ff986b6d4f24802459a177d8bac48db-fast-edge1
    Expires: Thu, 22 Aug 2024 15:16:42 GMT
    Cache-Control: no-cache
    Accept-Ranges: bytes
  • flag-lt
    GET
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    Remote address:
    84.32.84.33:80
    Request
    GET /dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0 HTTP/1.1
    Accept: */*
    Host: www.premiumsoft.info
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: hcdn
    Date: Thu, 22 Aug 2024 15:16:44 GMT
    Content-Type: text/html
    Content-Length: 10932
    Connection: close
    Vary: Accept-Encoding
    alt-svc: h3=":443"; ma=86400
    x-hcdn-request-id: c9a3ead988c2f0b37433445209b4915d-fast-edge1
    Expires: Thu, 22 Aug 2024 15:16:43 GMT
    Cache-Control: no-cache
    Accept-Ranges: bytes
  • 84.32.84.33:80
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1
    http
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    619 B
     11.8kB
     10
    12

    HTTP Request

    GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=1

    HTTP Response

    200
  • 84.32.84.33:80
    http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0
    http
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    573 B
     11.8kB
     9
    12

    HTTP Request

    GET http://www.premiumsoft.info/dynamic/get_configuration.php?installer_id=4ebe6d6d3ddcd1.09209522&step_id=0

    HTTP Response

    200
  • 8.8.8.8:53
    www.premiumsoft.info
    dns
    b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
    66 B
     82 B
     1
    1

    DNS Request

    www.premiumsoft.info

    DNS Response

    84.32.84.33

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\InstallMate\5F6844C9\cfg\1.ini
    Filesize

    10KB

    MD5

    5ecd0a1c0993a62ff81ec1b2e25906f2

    SHA1

    2f16403b0e33ab0e95b118e1055e62021273e62d

    SHA256

    512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

    SHA512

    1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5F6844C9\Setup.exe
    Filesize

    15KB

    MD5

    39e03e22e2c5cb67a7a750805de9435a

    SHA1

    50a3ff79f3815f58c8f2bb918fe156037a892387

    SHA256

    7d471a8df92de59217c60f1d1b2882fb04eadb44cf2dd313bba3c7e4d39678b4

    SHA512

    c7944d56f70190b3e6417f8923c844308d4840954afd613320c497170d87aa1300dc65472926c8691a242aa7fafbbdb3f2357ec178b340789f92245bb00dfff8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5F6844C9\Setup.ico
    Filesize

    4KB

    MD5

    c3926cef276c0940dadbc8142153cec9

    SHA1

    f8b350d2b7158f5ab147938961439860d77b9cb4

    SHA256

    0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

    SHA512

    5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat
    Filesize

    44B

    MD5

    7723c6bf4aa0a9356f10005131caec8d

    SHA1

    77db6f03684dd6597eb46bacb2eeb628944a6d8f

    SHA256

    3c34984b0121ae61a1c15099a12c0c51481ab73e2a961557d18b2efbb38184d4

    SHA512

    d9cba46feeb3006561d3c13c4783c66520cf1fe986e8b55887d4512174e7f60048992ee9fc573c13b2be6c66047fc4919c92691bdb5234e44d8c59f1463ab8b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs
    Filesize

    819B

    MD5

    0e4d3992166b5937274fa92e6e0ef99c

    SHA1

    32804f9362e8f842d81724b464a2d11db543c1e9

    SHA256

    1a7c7c703f79ae617f9b200a6059df21b353b8f4699e4659e388a1d0df31091f

    SHA512

    ae0909b8c2e84010b71e84c01b188dec647dfdf6ef1ded0eee3ea8f9c06b7835ad14273bc3ee1daf77c54f4d1558aa4ba264f7da2734564ff3cdfcf7aa5944c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs
    Filesize

    1KB

    MD5

    af9abe0d6b919ea101942e5ce024c8d6

    SHA1

    56c98c3b53ff743acd3101116ea3136c66f87a2c

    SHA256

    27a4532cc40474fa8e89311e345ae0510523ba344f122510fd25e954dca96265

    SHA512

    bfac6b0b7ab22b64dced599a50cde16d2213bc24cda29f6cb5919c8576e319744ea5e07f4820f687183059e86111718619cb35bbd8a01fcf44664021ad075119

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat
    Filesize

    46B

    MD5

    ad2bbe71cf6ad0243143e5d841e84835

    SHA1

    78e290cb94731766dad12a884fdd2b9254b37d34

    SHA256

    c1b7f5a9a6878bfbbfa0d861c3dcca1b0261f186abbe509c4726892f6c861651

    SHA512

    d7d4864c2cb8e0e5212a7403855c96ef57e0757f8e3e50c6ffbfccd1ec0184b50d211ba1a8fdf9f89f47b688533b492de59dfa1fc8f0cb213c3efa995a59fdaf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs
    Filesize

    2KB

    MD5

    bd30de51d91b16ffd45c85cae60f49f4

    SHA1

    cf07463a231eff49166ae513b54257722013ee3d

    SHA256

    d1f521b4f1a3d35ca0bc9f3f1fe2a092814441378e00567ed3afafd3d4515e19

    SHA512

    e260d3d66363fda29527fba68f292cf9f1bd45aa47999e6ebc31d4205ac321d1a91b50f818ec466362b0d2e4cd54285a0266c9e4db58793cc8667280fd11d79e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat
    Filesize

    50B

    MD5

    afd1e5b8031e29eb3c94b2edb7a5485d

    SHA1

    08fdb21a99a0f91cb008144ec249b5eb1cd525f6

    SHA256

    01a28a52cc854e70830fc9c0c6914e133ecf54932b611fb1b9a4c5f756cdce9b

    SHA512

    3b795d2f94a222b5479d085268832ce7486746420430641d5ee092d5bb78c88b28870c5028e223ca89397ab5968c611e77e6e3c10405dce242281abf3cd45c94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs
    Filesize

    419B

    MD5

    13d4e9b077cca14db5ca9c464c590e12

    SHA1

    36b9392dd6481afa14647d2ccdad184afd461889

    SHA256

    b1ab833022975434c5c6ce4b2fde6390a229ff0f22d32ebc7006245df70a0a5a

    SHA512

    d043bcb71923adee4095977d795934ec6680d46b86aa00b1396a5d9983895dbd76e3f94a0ee3e3b91b12577a3657cb3226ba6c73c3cbd38b23ac5c50411f94f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs
    Filesize

    304B

    MD5

    feeea64efee045be89023f8437397a0c

    SHA1

    6daa57e31f740bc75db53118b2d23d9ca176a878

    SHA256

    f06dfc8ebf5453fccafb5cb3fbb291e52dea372c5b39c75f1c2684bd9bae8ef4

    SHA512

    6deee8db105dd112ae104897d23b8bfc32a24704e2510b1a9ff4eaf0fe00a64597f7ba9ca0eeaae72fc97718004ecec81ab56c39452d52f966c190b784d1f3d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\5F6844C9\_Setup.dll
    Filesize

    146KB

    MD5

    a3f3a3b608f9a6d604730cb689dc23c6

    SHA1

    67dbeb74940250916e0592e596aa492c09694f74

    SHA256

    4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

    SHA512

    beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

    Download Submit

  • \Users\Admin\AppData\Local\Temp\5F6844C9\_Setupx.dll
    Filesize

    16KB

    MD5

    f17dce858db6f84c1c149f8aebb1ce58

    SHA1

    e54f8c536dd66610d0678a3532c4f8834b01abe6

    SHA256

    f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

    SHA512

    c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Tsu-08A0.dll
    Filesize

    245KB

    MD5

    8c7a58965b71c9dfbf1a14d3369a2620

    SHA1

    26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

    SHA256

    f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

    SHA512

    97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.