Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 10:37

General

  • Target

    da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    da293fbfe127cef0a67607e4113e2276

  • SHA1

    38ec2a9b15825f6037fa1f640f41aedacc0da89e

  • SHA256

    2751ffc40e29cde0dc8ff2c99bf40ebd191011215be95539d8cb3dcdd38483be

  • SHA512

    12d60a2c9051c626efe0c24c97508786afdb6f9f6907721d1bc386f98ee1bbd3d3977b05f381115df98c7c0814bf5be5ce9bc53a3d9360a30f9c08c0f207e6eb

  • SSDEEP

    3072:y04gFmx6HgZ6mBsN7foc2GOfAD5In+Y8CQdwvj8C9jtq3Sm3j5n8s2x3Ws0L3amh:ogFmx6Hmcwc2G/9UHtBjg3SOjYWj2aK

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\netisetx64.dll",CreateProcessNotify
      2⤵
      • Loads dropped DLL
      PID:4628
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240650062.bat" "C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1340

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240650062.bat

    Filesize

    75B

    MD5

    211433a8d7350dd8392a69cde0638d6d

    SHA1

    c776f904296dd02939f518eeb6885580d09504e1

    SHA256

    51f5b8df6058ec718c584100e19ca9fcf236fa8e2068241e5699e2589c124417

    SHA512

    e63f155e2a112a13c952fab54a3746446948e11a2e71d11e2a5495b05a7e35f08d9b00840597e3af0019c0e19f786c527f0b28eb9c6db2471f1198d84381460c

  • C:\Windows\SysWOW64\netisetx.dll

    Filesize

    55KB

    MD5

    8d5add4097a742837ec101015cf23354

    SHA1

    386c2c3994f64551dbef069a78220e4968105105

    SHA256

    b561ff6cb2623dfe6a376236d1aeac0f0111a4e6abe4eee18f6cf04c08f8c5eb

    SHA512

    31302754f99f6101518633e7566d05b14ef9c4d88233ce11c19e1bb92cfaba2e172d4cd835eabc687ba6bbd1f45702de8c782fbd84e1f2451a3a09de6d1a510f

  • C:\Windows\system32\netisetx64.dll

    Filesize

    61KB

    MD5

    cde6aca8ce75c23e287b04f634cb652a

    SHA1

    6320d03cd7124cd98d81bf9f10812db1689b9843

    SHA256

    5914e26e3b3fc5f58680b50af6cbf566780517ae6c81aac864380eda6f83149f

    SHA512

    aca6895f9e0072370ff63d0bfadd819db4e1f3b52ad59053036fdddd460ef324256631030c8b18e541847e236b52be2041c131c80f8fc3a1dae6c5c4e87f40c2

  • memory/1340-24-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2484-25-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2484-22-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/3388-6-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

  • memory/3388-18-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/3388-17-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

  • memory/3388-7-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/3388-0-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/3388-1-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

  • memory/4628-11-0x00000285117E0000-0x00000285117E1000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.