Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 06:00 UTC

General

  • Target

    c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    c85508a5fb3df2485a261b8065f3eaff

  • SHA1

    14a395717348e96d023789d159fe7bc31fd76b6f

  • SHA256

    0eccc6053a483361e97971ed444d142701b4b55fa367545f9f8bee6fb6b02069

  • SHA512

    5ce8957f5df41264f7a457be808035f2d3883c8c631cec606619a614a4a772b1d7d70584caba93d5a6d45dfd0c2cd4080ae2f432124fff71a553d2be3751b77f

  • SSDEEP

    6144:Qe34jW7Mq1zQbe9DP3lpr4jAxLY6MhEVagKx:WUzQcbRx9TVPu

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2072

Network

  • flag-us
    DNS
    img.uptodown.net
    c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    img.uptodown.net
    IN A
    Response
    img.uptodown.net
    IN CNAME
    t.sni.global.fastly.net
    t.sni.global.fastly.net
    IN A
    151.101.3.52
    t.sni.global.fastly.net
    IN A
    151.101.131.52
    t.sni.global.fastly.net
    IN A
    151.101.195.52
    t.sni.global.fastly.net
    IN A
    151.101.67.52
  • flag-us
    GET
    http://img.uptodown.net/miniicons/fake-webcam-6-1.jpg
    c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe
    Remote address:
    151.101.3.52:80
    Request
    GET /miniicons/fake-webcam-6-1.jpg HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: img.uptodown.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 500 Domain Not Found
    Connection: keep-alive
    Content-Length: 275
    Server: Varnish
    Retry-After: 0
    content-type: text/html
    Cache-Control: private, no-cache
    X-Served-By: cache-lcy-eglc8600027-LCY
    Accept-Ranges: bytes
    Date: Thu, 29 Aug 2024 06:00:45 GMT
    Via: 1.1 varnish
  • 151.101.3.52:80
    http://img.uptodown.net/miniicons/fake-webcam-6-1.jpg
    http
    c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe
    712 B
    814 B
    8
    6

    HTTP Request

    GET http://img.uptodown.net/miniicons/fake-webcam-6-1.jpg

    HTTP Response

    500
  • 8.8.8.8:53
    img.uptodown.net
    dns
    c85508a5fb3df2485a261b8065f3eaff_JaffaCakes118.exe
    62 B
    160 B
    1
    1

    DNS Request

    img.uptodown.net

    DNS Response

    151.101.3.52
    151.101.131.52
    151.101.195.52
    151.101.67.52

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj13A.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    9384f4007c492d4fa040924f31c00166

    SHA1

    aba37faef30d7c445584c688a0b5638f5db31c7b

    SHA256

    60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

    SHA512

    68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

  • \Users\Admin\AppData\Local\Temp\nsj13A.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsj13A.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

  • \Users\Admin\AppData\Local\Temp\nsj13A.tmp\nsRandom.dll

    Filesize

    21KB

    MD5

    ab467b8dfaa660a0f0e5b26e28af5735

    SHA1

    596abd2c31eaff3479edf2069db1c155b59ce74d

    SHA256

    db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

    SHA512

    7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

  • memory/2072-19-0x00000000004D0000-0x00000000004E2000-memory.dmp

    Filesize

    72KB

  • memory/2072-37-0x00000000004D0000-0x00000000004E2000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.