Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 06:08

General

  • Target

    baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe

  • Size

    334KB

  • MD5

    baa604dc86589ef7c5ce47722e4c1900

  • SHA1

    2c341c7f92aae1e659eb407ceb629ea94d3573e5

  • SHA256

    cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60

  • SHA512

    40ae631b8124a24f8004c93da09969c861e6a79f6fec345ab99556e9fd69977112236240b21e2ff4e6c3a88e5b0c80f031a9504ba3fde408fa9cb6fab2a7e924

  • SSDEEP

    6144:KZuuObR8sVImcyYOY2Jy+bu8a5n5TQL5rqrOxxbxtK7SU1uGxHkcv8pcqBJ:ZV+mzxggVa5nUBqraFLGSwuqkcvIJ

Malware Config

Signatures

  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

  • Detects Andromeda payload. 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Users\Admin\AppData\Local\Temp\tuk.exe
        tuk.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4656
      • C:\Windows\SysWOW64\PING.EXE
        ping microsoft.com
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2092
      • C:\Users\Admin\AppData\Local\Temp\bot_0.exe
        bot_0.exe
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\syswow64\svchost.exe
          4⤵
          • Adds policy Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bot_0.exe

    Filesize

    13KB

    MD5

    8a7616551ce19dda50daca2479c2de76

    SHA1

    a8abeaf5b460f77dee2005df3c2dc79428743d2c

    SHA256

    7cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f

    SHA512

    04a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0

  • C:\Users\Admin\AppData\Local\Temp\sar3.bat

    Filesize

    50B

    MD5

    f358b9d1143fa9d78422b30a9eadf455

    SHA1

    f0219285c28b74d223020ef2957cd99c0c6b00dc

    SHA256

    7db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375

    SHA512

    d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada

  • C:\Users\Admin\AppData\Local\Temp\tuk.exe

    Filesize

    555KB

    MD5

    8c3244a681b016bda5032d10af658f60

    SHA1

    7eb5c556792d7a44e89b25f18ed9bf3cb4ba798f

    SHA256

    f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df

    SHA512

    6bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a

  • memory/852-13-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/3536-18-0x0000000000410000-0x0000000000412000-memory.dmp

    Filesize

    8KB

  • memory/3536-16-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/4176-19-0x0000000000560000-0x000000000056E000-memory.dmp

    Filesize

    56KB

  • memory/4176-21-0x0000000000560000-0x000000000056E000-memory.dmp

    Filesize

    56KB

  • memory/4176-24-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

    Filesize

    20KB

  • memory/4176-28-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

    Filesize

    20KB

  • memory/4656-12-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

    Filesize

    4KB

  • memory/4656-22-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

    Filesize

    4KB

  • memory/4656-30-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB