Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 16:42

General

  • Target

    ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    ebc25e76c2086197bb78897cc6be8642

  • SHA1

    329718e87976ed3ccd660f90d36e05ed9bc9c2ce

  • SHA256

    4901c2eb26cc12e6d550d2d266a86b9a850b7d1becfedb1ca991fce14d4d7ac9

  • SHA512

    ac64635e4c6617f3be60fdc2184fd8f743fcc3c1702ceeec6571b62e29787632952210405cac827f7aace8da78c21f33aacd42594078f813860ff06810b28000

  • SSDEEP

    24576:5mUNJyJqb1FcMap2ATT5mmUNJyJqb1FcMap2ATT5mmUNJyJqb1FcMap2ATT58:5mV2ApmmV2ApmmV2Ap8

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • simda

    Simda is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\A500.tmp

          Filesize

          2KB

          MD5

          326739781283f38a7bf84b8bdf8eff24

          SHA1

          7b61df41335d3134973cf8fbc3cc4839a4caad38

          SHA256

          e3e44602927b602bd62159bd791f2afb71f73be05f8b0a75b8a7f8375b7a0d93

          SHA512

          8c9445112d68102790e4310230f2b2191954a1771d1bccd6c7e1f805bb09099ce1f2f982857f8344245b9939639d1646e6c67893deb94d5f61502f77810960e6

        • C:\Users\Admin\AppData\Local\Temp\B8BA.tmp

          Filesize

          593B

          MD5

          926512864979bc27cf187f1de3f57aff

          SHA1

          acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

          SHA256

          b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

          SHA512

          f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

        • \Windows\AppPatch\svchost.exe

          Filesize

          1.0MB

          MD5

          af973fd6117ff03900d671a621bde68b

          SHA1

          b56c737de9154d22ada4c0919de4d00eb7a1bb14

          SHA256

          3e364c6ffc6801e692761f663d6c5cf707ee6471388fdcab891fbdf4b9ed839a

          SHA512

          9f876275e4bf4496656b78d8c11d0a43017105d065f04a98b4f46cfd027cf4e86609c444da6841e644a25bef0398930aefc486453eb8b5dc89b2bf807994c1db

        • memory/2220-13-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

        • memory/2408-16-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-24-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-22-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-20-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-18-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-14-0x00000000020A0000-0x0000000002148000-memory.dmp

          Filesize

          672KB

        • memory/2408-25-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-29-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-27-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-31-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-56-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-68-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-77-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-76-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-75-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-74-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-73-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-72-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-70-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-69-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-67-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-66-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-65-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-64-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-63-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-62-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-61-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-60-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-59-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-58-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-57-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-55-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-54-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-53-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-52-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-51-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-50-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-49-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-47-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-46-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-45-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-44-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-43-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-42-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-41-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-40-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-39-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-37-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-71-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-36-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-35-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-34-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-48-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-33-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-32-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-38-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB

        • memory/2408-188-0x00000000021B0000-0x0000000002266000-memory.dmp

          Filesize

          728KB