Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
-
Size
334KB
-
MD5
baa604dc86589ef7c5ce47722e4c1900
-
SHA1
2c341c7f92aae1e659eb407ceb629ea94d3573e5
-
SHA256
cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60
-
SHA512
40ae631b8124a24f8004c93da09969c861e6a79f6fec345ab99556e9fd69977112236240b21e2ff4e6c3a88e5b0c80f031a9504ba3fde408fa9cb6fab2a7e924
-
SSDEEP
6144:KZuuObR8sVImcyYOY2Jy+bu8a5n5TQL5rqrOxxbxtK7SU1uGxHkcv8pcqBJ:ZV+mzxggVa5nUBqraFLGSwuqkcvIJ
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral1/memory/2636-31-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda behavioral1/memory/2636-35-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\43714 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msweqpv.com" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2148 tuk.exe 1916 bot_0.exe -
Loads dropped DLL 4 IoCs
pid Process 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum bot_0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bot_0.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msweqpv.com svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bot_0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2648 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2648 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1916 bot_0.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1916 bot_0.exe 1916 bot_0.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2584 2180 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2584 2180 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2584 2180 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2584 2180 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2148 2584 cmd.exe 32 PID 2584 wrote to memory of 2148 2584 cmd.exe 32 PID 2584 wrote to memory of 2148 2584 cmd.exe 32 PID 2584 wrote to memory of 2148 2584 cmd.exe 32 PID 2584 wrote to memory of 2648 2584 cmd.exe 33 PID 2584 wrote to memory of 2648 2584 cmd.exe 33 PID 2584 wrote to memory of 2648 2584 cmd.exe 33 PID 2584 wrote to memory of 2648 2584 cmd.exe 33 PID 2584 wrote to memory of 1916 2584 cmd.exe 34 PID 2584 wrote to memory of 1916 2584 cmd.exe 34 PID 2584 wrote to memory of 1916 2584 cmd.exe 34 PID 2584 wrote to memory of 1916 2584 cmd.exe 34 PID 1916 wrote to memory of 2636 1916 bot_0.exe 35 PID 1916 wrote to memory of 2636 1916 bot_0.exe 35 PID 1916 wrote to memory of 2636 1916 bot_0.exe 35 PID 1916 wrote to memory of 2636 1916 bot_0.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\tuk.exetuk.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\PING.EXEping microsoft.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\bot_0.exebot_0.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe4⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2636
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5f358b9d1143fa9d78422b30a9eadf455
SHA1f0219285c28b74d223020ef2957cd99c0c6b00dc
SHA2567db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375
SHA512d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada
-
Filesize
555KB
MD58c3244a681b016bda5032d10af658f60
SHA17eb5c556792d7a44e89b25f18ed9bf3cb4ba798f
SHA256f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df
SHA5126bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a
-
Filesize
13KB
MD58a7616551ce19dda50daca2479c2de76
SHA1a8abeaf5b460f77dee2005df3c2dc79428743d2c
SHA2567cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f
SHA51204a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0