Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 14:27
Static task
static1
Behavioral task
behavioral1
Sample
e05f8762256d965476733822af855604_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e05f8762256d965476733822af855604_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e05f8762256d965476733822af855604_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
e05f8762256d965476733822af855604
-
SHA1
f198d259101ad85e2bc03582680c19260e76e79b
-
SHA256
c37290f320f0ff640fe3e8764ba359427c3055d1eb1eebcc557a956708bd5d8e
-
SHA512
1e1ef1f0218552d4bc0088c17995499880cdc810ae158e12a19558de5629aafe0a7e0011b14b303e5abc1ec6f9fa7f0eeb667f1be10d81628ddeddb8fd59726f
-
SSDEEP
49152:w7cNuGXqqcjPLk+SZYI7iWxqwrYZb+zwyj5bCtHRzIhElUhkAps1:w7cN9DcjjknZPxqmpkIh8Uhb4
Malware Config
Extracted
stealthworker
3.12
http://176.121.14.53:8888
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchoost .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchoost .exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exee05f8762256d965476733822af855604_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e05f8762256d965476733822af855604_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e05f8762256d965476733822af855604_JaffaCakes118.exedescription pid Process procid_target PID 1868 wrote to memory of 2432 1868 e05f8762256d965476733822af855604_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2432 1868 e05f8762256d965476733822af855604_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2432 1868 e05f8762256d965476733822af855604_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2432 1868 e05f8762256d965476733822af855604_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e05f8762256d965476733822af855604_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e05f8762256d965476733822af855604_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305B
MD566be48d6c0d1b3653457fea367c3a8f9
SHA1264fa5e8b055454186dd829f9b6f77dd4930e040
SHA2569003a806a4a10cef9ba5c31d40dc66814d8dae6dec1cc8f9ea2b105b04704fb0
SHA512a8a336f1ef5bd4e10014529d69d42701090cbb5342dc87fd2754955f684eb879ab9d674d5dc682a8ff26f0822d870015f39a53f5e7232f38f9ea346981682b99