Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 16:46

General

  • Target

    ebc42d791ff27007b379aa0bacda9af7_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    ebc42d791ff27007b379aa0bacda9af7

  • SHA1

    9d78f6d315c0f9cfc8a367184872f6b2d069f75f

  • SHA256

    cee001c96e80548e13a26754732f7a53ac5ea6e6e6c4f0e04d0d9c3f384d3acc

  • SHA512

    f3699e4a2d60bb85e871431523dfe52d3245cb3cb4b2bf3907d7a640e3ee73a931449320136d66b41791e4b2ddd1da13fcf722fef6d4e68467d0fcca0e35a462

  • SSDEEP

    6144:wgiD9CmFlaRUdduv9sZIUlfxryHfvau9hHoyrnETB2ebz:M9C3N2ZIUl4/njr8B2Yz

Malware Config

Extracted

Family

simda

Attributes
  • dga

    cihunemyror.eu

    digivehusyd.eu

    vofozymufok.eu

    fodakyhijyv.eu

    nopegymozow.eu

    gatedyhavyd.eu

    marytymenok.eu

    jewuqyjywyv.eu

    qeqinuqypoq.eu

    kemocujufys.eu

    rynazuqihoj.eu

    lyvejujolec.eu

    tucyguqaciq.eu

    xuxusujenes.eu

    puzutuqeqij.eu

    ciliqikytec.eu

    dikoniwudim.eu

    vojacikigep.eu

    fogeliwokih.eu

    nofyjikoxex.eu

    gadufiwabim.eu

    masisokemep.eu

    jepororyrih.eu

    qetoqolusex.eu

    keraborigin.eu

    ryqecolijet.eu

    lymylorozig.eu

    tunujolavez.eu

    xubifaremin.eu

    puvopalywet.eu

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • simda

    Simda is an infostealer written in C++.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebc42d791ff27007b379aa0bacda9af7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ebc42d791ff27007b379aa0bacda9af7_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4860-0-0x0000000000400000-0x000000000054D000-memory.dmp

          Filesize

          1.3MB

        • memory/4860-1-0x00000000007F0000-0x0000000000837000-memory.dmp

          Filesize

          284KB

        • memory/4860-2-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4860-4-0x0000000002480000-0x0000000002532000-memory.dmp

          Filesize

          712KB

        • memory/4860-5-0x0000000000400000-0x000000000054D000-memory.dmp

          Filesize

          1.3MB

        • memory/4860-6-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-8-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-10-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-64-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-72-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-107-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-119-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-118-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-117-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-116-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-115-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-114-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-113-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-112-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-111-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-109-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-108-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-106-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-105-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-104-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-103-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-102-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-101-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-100-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-99-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-98-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-97-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-96-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-95-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-93-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-92-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-91-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-90-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-89-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-88-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-87-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-86-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-85-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-84-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-83-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-82-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-81-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-80-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-78-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-77-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-76-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-75-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-74-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-73-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-110-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-71-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-70-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-94-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-69-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-68-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-67-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-79-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-66-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-65-0x0000000002540000-0x00000000025F8000-memory.dmp

          Filesize

          736KB

        • memory/4860-256-0x00000000007F0000-0x0000000000837000-memory.dmp

          Filesize

          284KB

        • memory/4860-386-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB