Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 06:05 UTC

General

  • Target

    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    eab9a8e882a482a3ec8aca0f84ab63d2

  • SHA1

    d7093d8e183f781445544e8dbbad6e178d3ee498

  • SHA256

    506fd50b7317eae1d257e529fb514fad9e0a1dd75d06237bce2ebab3e7fb0e2e

  • SHA512

    b1ac695da37918f0d194823f29461bd32d6ac01a91d6976757f88aa91fc68346a5842c2b24222001950739767c2098476206717686941dec7114881a13d63dec

  • SSDEEP

    768:RNTs2dMw8rorfnmKUMLZNDn/QlgmFIkCd+hNFIktcM9ea5PnOYn6zykNspK6D8L7:RZs4hANDnVJbBvmO0NMm9iCXOjD5fIi

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\jeueqe.exe
      "C:\Users\Admin\jeueqe.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3516

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ns1.player1253.com
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1253.com
    IN A
    Response
  • flag-us
    DNS
    ns1.videoall.net
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.videoall.net
    IN A
    Response
  • flag-us
    DNS
    ns1.mediashares.org
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.mediashares.org
    IN A
    Response
    ns1.mediashares.org
    IN A
    104.155.138.21
    ns1.mediashares.org
    IN A
    107.178.223.183
  • flag-us
    DNS
    ns1.mediashares.org
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.mediashares.org
    IN A
    Response
    ns1.mediashares.org
    IN A
    107.178.223.183
    ns1.mediashares.org
    IN A
    104.155.138.21
  • flag-us
    DNS
    ns1.mediashares.org
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.mediashares.org
    IN A
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    ns1.player1253.com
    dns
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    64 B
    137 B
    1
    1

    DNS Request

    ns1.player1253.com

  • 8.8.8.8:53
    ns1.videoall.net
    dns
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    62 B
    135 B
    1
    1

    DNS Request

    ns1.videoall.net

  • 8.8.8.8:53
    ns1.mediashares.org
    dns
    eab9a8e882a482a3ec8aca0f84ab63d2_JaffaCakes118.exe
    195 B
    259 B
    3
    3

    DNS Request

    ns1.mediashares.org

    DNS Request

    ns1.mediashares.org

    DNS Request

    ns1.mediashares.org

    DNS Response

    104.155.138.21
    107.178.223.183

    DNS Response

    107.178.223.183
    104.155.138.21

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jeueqe.exe

    Filesize

    60KB

    MD5

    c347d5a5a5b55dc393e604c689e4b7bf

    SHA1

    243082ba16816264466021f48133bd046bf4306e

    SHA256

    a7f9044c00a245eeb78ec028efba04dda39c000fc7a7c28eb229bed28b47d618

    SHA512

    87928a5ad176e59c7d9aca4aa12b268823386deb5ca184a7e9dfddce7263e0cb29e5acb7ec50bdbbccb6ff228533e2fc81901f43b51aae6d967138fd98f00f2f

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.