d89ea9bffb7a6f28567405eca3ede9226b1c886c3817cae71dcb5f3c78f912e6

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 16:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
Size

129KB
MD5

dabfc15614501bb318a3586036da132c
SHA1

b07a82a8b4173eb16bc90915bf3c25ea6bbb4a8e
SHA256

d89ea9bffb7a6f28567405eca3ede9226b1c886c3817cae71dcb5f3c78f912e6
SHA512

a6752a80e268066c9533b971958dd39e81fb7fc081bb3ec2bc7f7b39ad1a00801b257d9009d37c9f24fd7d790c75c6517eef1dd075b779e83d538cb763e5e94b
SSDEEP

3072:7IJxKNdqSwvrJ5LhgNA3PK+/uDcrfWt0L:cJ4Ndqt7ZPKiq6L

Score

8^/10

discovery vmprotect

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ahnurl.sys	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ahnurl.sys	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3200-0-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/3200-8-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\setupball.bmp	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\version.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\winurl.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\wintmp.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dabfc15614501bb318a3586036da132c_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dele57bd93.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032

Network

DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom

52.111.243.31:443

322 B
7

8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

360 B
5

DNS Request

75.159.190.20.in-addr.arpa

DNS Request

75.159.190.20.in-addr.arpa

DNS Request

75.159.190.20.in-addr.arpa

DNS Request

75.159.190.20.in-addr.arpa

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

288 B
158 B
4
1

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

296 B
128 B
4
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

219 B
144 B
3
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

183.59.114.20.in-addr.arpa

DNS Request

183.59.114.20.in-addr.arpa

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dele57bd93.bat

Filesize
271B

MD5
92f90f29da76e00ae5f82e2d2a864dc4

SHA1
390ca107990b1a866e9fc0a065a44b4bc66027e6

SHA256
3cb6fd4ea432fba68d9b7745f875853cc7aeeaf0cf961f4fa6031e31b67dae31

SHA512
ee11263a0423e672486ccc0d70c1020eaaf1fc95dab10524c25f0641dc412545fe95a42b87368c4bb00c2f0ef6cf07f4a2e4892ed5573d3f5060e50a8d5de0b4

Download Submit
memory/3200-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.