Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 05:50 UTC

General

  • Target

    eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe

  • Size

    398KB

  • MD5

    eab3bc48d6ba17b7974c806ff4acd84f

  • SHA1

    a826916ab22e70c8de5b66bdb5ada15fd9426367

  • SHA256

    f7dba4a6735721c6a63936ab693175e13ed482ad960896c84432fa25e48915ac

  • SHA512

    9c04c2c592910ebbdbf63eba4597224a670c08acf1fcb318f97f5816d17835ca8ff8a1bde7570dfac75b12290f6bf61b4051a31f40664026a855b0b119651c07

  • SSDEEP

    6144:ArCboqZY7Io9hpFcGwvdsSkQIbez8BMOssF2FgP:6CM1Uo9xAk8z8yJs8Fu

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab3bc48d6ba17b7974c806ff4acd84f_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\Drybua.exe
      C:\Windows\Drybua.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2632

Network

  • flag-us
    DNS
    uol.com.br
    Drybua.exe
    Remote address:
    8.8.8.8:53
    Request
    uol.com.br
    IN A
    Response
    uol.com.br
    IN A
    200.147.3.157
  • flag-us
    DNS
    imageshack.us
    Drybua.exe
    Remote address:
    8.8.8.8:53
    Request
    imageshack.us
    IN A
    Response
    imageshack.us
    IN A
    208.94.3.19
    imageshack.us
    IN A
    208.94.3.18
No results found
  • 8.8.8.8:53
    uol.com.br
    dns
    Drybua.exe
    56 B
    72 B
    1
    1

    DNS Request

    uol.com.br

    DNS Response

    200.147.3.157

  • 8.8.8.8:53
    imageshack.us
    dns
    Drybua.exe
    59 B
    91 B
    1
    1

    DNS Request

    imageshack.us

    DNS Response

    208.94.3.19
    208.94.3.18

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Drybua.exe

    Filesize

    398KB

    MD5

    eab3bc48d6ba17b7974c806ff4acd84f

    SHA1

    a826916ab22e70c8de5b66bdb5ada15fd9426367

    SHA256

    f7dba4a6735721c6a63936ab693175e13ed482ad960896c84432fa25e48915ac

    SHA512

    9c04c2c592910ebbdbf63eba4597224a670c08acf1fcb318f97f5816d17835ca8ff8a1bde7570dfac75b12290f6bf61b4051a31f40664026a855b0b119651c07

  • C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

    Filesize

    372B

    MD5

    0a3e95639d943176200c24c141224e4a

    SHA1

    bdc7a60d991b520cbbb91b5c640b84fa543c6666

    SHA256

    e1375220184791a0082290608190a1a8bdcb1e111e3ad100ed82b40d00b68c24

    SHA512

    fb194960918841387cd606416b5b580792a3437f47d125798261a80d298416920933b02a7ca97972c43775231a93370e89fb63820cac52303770ae7dbf292d23

  • memory/2204-2-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2204-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2204-14-0x0000000001EB0000-0x0000000001F15000-memory.dmp

    Filesize

    404KB

  • memory/2204-13-0x0000000001EB0000-0x0000000001F15000-memory.dmp

    Filesize

    404KB

  • memory/2204-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2204-10934-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2204-25950-0x0000000001EB0000-0x0000000001F15000-memory.dmp

    Filesize

    404KB

  • memory/2204-33346-0x0000000001EB0000-0x0000000001F15000-memory.dmp

    Filesize

    404KB

  • memory/2204-47229-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2632-20-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2632-47231-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.