Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 06:08

General

  • Target

    baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe

  • Size

    334KB

  • MD5

    baa604dc86589ef7c5ce47722e4c1900

  • SHA1

    2c341c7f92aae1e659eb407ceb629ea94d3573e5

  • SHA256

    cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60

  • SHA512

    40ae631b8124a24f8004c93da09969c861e6a79f6fec345ab99556e9fd69977112236240b21e2ff4e6c3a88e5b0c80f031a9504ba3fde408fa9cb6fab2a7e924

  • SSDEEP

    6144:KZuuObR8sVImcyYOY2Jy+bu8a5n5TQL5rqrOxxbxtK7SU1uGxHkcv8pcqBJ:ZV+mzxggVa5nUBqraFLGSwuqkcvIJ

Malware Config

Signatures

  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

  • Detects Andromeda payload. 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\tuk.exe
        tuk.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2148
      • C:\Windows\SysWOW64\PING.EXE
        ping microsoft.com
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2648
      • C:\Users\Admin\AppData\Local\Temp\bot_0.exe
        bot_0.exe
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\syswow64\svchost.exe
          C:\Windows\syswow64\svchost.exe
          4⤵
          • Adds policy Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sar3.bat

    Filesize

    50B

    MD5

    f358b9d1143fa9d78422b30a9eadf455

    SHA1

    f0219285c28b74d223020ef2957cd99c0c6b00dc

    SHA256

    7db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375

    SHA512

    d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada

  • C:\Users\Admin\AppData\Local\Temp\tuk.exe

    Filesize

    555KB

    MD5

    8c3244a681b016bda5032d10af658f60

    SHA1

    7eb5c556792d7a44e89b25f18ed9bf3cb4ba798f

    SHA256

    f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df

    SHA512

    6bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a

  • \Users\Admin\AppData\Local\Temp\bot_0.exe

    Filesize

    13KB

    MD5

    8a7616551ce19dda50daca2479c2de76

    SHA1

    a8abeaf5b460f77dee2005df3c2dc79428743d2c

    SHA256

    7cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f

    SHA512

    04a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0

  • memory/1916-25-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

  • memory/2148-29-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2148-18-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2148-37-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

  • memory/2180-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2584-21-0x0000000000130000-0x0000000000135000-memory.dmp

    Filesize

    20KB

  • memory/2636-28-0x00000000003B0000-0x00000000003B8000-memory.dmp

    Filesize

    32KB

  • memory/2636-26-0x00000000003B0000-0x00000000003B8000-memory.dmp

    Filesize

    32KB

  • memory/2636-31-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

  • memory/2636-35-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB