Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 05:56

General

  • Target

    eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe

  • Size

    129KB

  • MD5

    eab6164feb7d381e1562600465759fbe

  • SHA1

    72b645113831a1560c01b424267b5ce5ea37618c

  • SHA256

    0d6ce18f06c63db09a1691fec3b07c4995c7188fa4e31ee0b93f9c04c9f86f97

  • SHA512

    9e5bdb1bba697f443330ec4dad6e9109e3a70ade1c9129b1259cf54532f52218bb1b470dca78815143635c89036acd79581edf6090cda874f2d364eb46de4aee

  • SSDEEP

    1536:+q5TGp6BnjYkHIFp/Qgg2yIgznPb67VPVNJQChVO5Wcs24qz:+mkFp/Qgg3TznDENnhVO5Wce

Malware Config

Extracted

Family

systembc

C2

91.243.83.73

Attributes
  • dns

    5.132.191.104

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab6164feb7d381e1562600465759fbe_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2512
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {CDDD9572-3444-414A-8CB0-E289D57F6E14} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\ProgramData\ewnqf\whrs.exe
      C:\ProgramData\ewnqf\whrs.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ewnqf\whrs.exe

    Filesize

    129KB

    MD5

    eab6164feb7d381e1562600465759fbe

    SHA1

    72b645113831a1560c01b424267b5ce5ea37618c

    SHA256

    0d6ce18f06c63db09a1691fec3b07c4995c7188fa4e31ee0b93f9c04c9f86f97

    SHA512

    9e5bdb1bba697f443330ec4dad6e9109e3a70ade1c9129b1259cf54532f52218bb1b470dca78815143635c89036acd79581edf6090cda874f2d364eb46de4aee

  • C:\Windows\Tasks\Test Task17.job

    Filesize

    214B

    MD5

    f923f291ff386d639bdfc00728bc394f

    SHA1

    e15af4c270a0492b67ea1db74a763b9a5deb2ca5

    SHA256

    155f60cb4e67514e298b084e55535cd1cc5c1a4d32eab60667b854cb0a8da3c2

    SHA512

    3258b5573189f33675014365e8834108a1aed67f4e462cdfaee641c1a0d833c13e07b06f904e530423445bc2d82d527a8c5d65bf484096667a7ceff5f16403a5

  • memory/2512-1-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

  • memory/2512-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2512-5-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

  • memory/2512-6-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2752-14-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB