Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:50 UTC
Behavioral task
behavioral1
Sample
eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe
-
Size
398KB
-
MD5
eab3bc48d6ba17b7974c806ff4acd84f
-
SHA1
a826916ab22e70c8de5b66bdb5ada15fd9426367
-
SHA256
f7dba4a6735721c6a63936ab693175e13ed482ad960896c84432fa25e48915ac
-
SHA512
9c04c2c592910ebbdbf63eba4597224a670c08acf1fcb318f97f5816d17835ca8ff8a1bde7570dfac75b12290f6bf61b4051a31f40664026a855b0b119651c07
-
SSDEEP
6144:ArCboqZY7Io9hpFcGwvdsSkQIbez8BMOssF2FgP:6CM1Uo9xAk8z8yJs8Fu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2632 Drybua.exe -
resource yara_rule behavioral1/memory/2204-0-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/files/0x0004000000004ed7-11.dat upx behavioral1/memory/2204-13-0x0000000001EB0000-0x0000000001F15000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Z30KYPG3WS = "C:\\Windows\\Drybua.exe" Drybua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Drybua.exe eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe File created C:\Windows\Drybua.exe eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Drybua.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main Drybua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe 2632 Drybua.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2204 eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe 2632 Drybua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2632 2204 eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2632 2204 eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2632 2204 eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2632 2204 eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Drybua.exeC:\Windows\Drybua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2632
-
Network
-
Remote address:8.8.8.8:53Requestuol.com.brIN AResponseuol.com.brIN A200.147.3.157
-
Remote address:8.8.8.8:53Requestimageshack.usIN AResponseimageshack.usIN A208.94.3.19imageshack.usIN A208.94.3.18
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD5eab3bc48d6ba17b7974c806ff4acd84f
SHA1a826916ab22e70c8de5b66bdb5ada15fd9426367
SHA256f7dba4a6735721c6a63936ab693175e13ed482ad960896c84432fa25e48915ac
SHA5129c04c2c592910ebbdbf63eba4597224a670c08acf1fcb318f97f5816d17835ca8ff8a1bde7570dfac75b12290f6bf61b4051a31f40664026a855b0b119651c07
-
Filesize
372B
MD50a3e95639d943176200c24c141224e4a
SHA1bdc7a60d991b520cbbb91b5c640b84fa543c6666
SHA256e1375220184791a0082290608190a1a8bdcb1e111e3ad100ed82b40d00b68c24
SHA512fb194960918841387cd606416b5b580792a3437f47d125798261a80d298416920933b02a7ca97972c43775231a93370e89fb63820cac52303770ae7dbf292d23