Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 00:05

General

  • Target

    ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe

  • Size

    217KB

  • MD5

    ec725e6f7355c934e22abb9d81da7f65

  • SHA1

    44048104c8413a20a550fb9cdab63a147da94137

  • SHA256

    d0b02f2bc5e46880f67b31b7a7ab3fc8670ee3c6a0a362a52c2f10fbae8d1913

  • SHA512

    cf7b80ad72f4325dff8e9a1d167a6f5a5ea9026dc3cdd372e23a97e16666f8a4640273858fbf86946891e89ae41ee9f7db7ccbb18a212ddf6115c2187d16755f

  • SSDEEP

    6144:cqLPjb9UaJalcSMu9S7gWPdg+eBHQQl+7cxts/y:ckbu3cSruBPbeBbQwx+

Malware Config

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Signatures

  • simda

    Simda is an infostealer written in C++.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2460

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2460-0-0x00000000002F0000-0x0000000000342000-memory.dmp

          Filesize

          328KB

        • memory/2460-1-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

        • memory/2460-2-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-4-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-6-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-12-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-13-0x0000000000400000-0x00000000004ED000-memory.dmp

          Filesize

          948KB

        • memory/2460-10-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-8-0x00000000004F0000-0x000000000059A000-memory.dmp

          Filesize

          680KB

        • memory/2460-14-0x0000000002630000-0x00000000026E9000-memory.dmp

          Filesize

          740KB

        • memory/2460-16-0x0000000002630000-0x00000000026E9000-memory.dmp

          Filesize

          740KB

        • memory/2460-45-0x0000000001E70000-0x0000000001E71000-memory.dmp

          Filesize

          4KB

        • memory/2460-44-0x0000000001E60000-0x0000000001E61000-memory.dmp

          Filesize

          4KB

        • memory/2460-59-0x0000000002630000-0x00000000026E9000-memory.dmp

          Filesize

          740KB

        • memory/2460-58-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

          Filesize

          4KB

        • memory/2460-56-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

          Filesize

          4KB

        • memory/2460-55-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

          Filesize

          4KB

        • memory/2460-52-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

          Filesize

          4KB

        • memory/2460-51-0x0000000001E90000-0x0000000001E91000-memory.dmp

          Filesize

          4KB

        • memory/2460-49-0x0000000001E70000-0x0000000001E71000-memory.dmp

          Filesize

          4KB

        • memory/2460-48-0x0000000001E80000-0x0000000001E81000-memory.dmp

          Filesize

          4KB

        • memory/2460-42-0x0000000001E40000-0x0000000001E41000-memory.dmp

          Filesize

          4KB

        • memory/2460-41-0x0000000001E50000-0x0000000001E51000-memory.dmp

          Filesize

          4KB

        • memory/2460-37-0x0000000001E30000-0x0000000001E31000-memory.dmp

          Filesize

          4KB

        • memory/2460-35-0x0000000000870000-0x0000000000871000-memory.dmp

          Filesize

          4KB

        • memory/2460-34-0x0000000000880000-0x0000000000881000-memory.dmp

          Filesize

          4KB

        • memory/2460-31-0x0000000000870000-0x0000000000871000-memory.dmp

          Filesize

          4KB

        • memory/2460-30-0x0000000000860000-0x0000000000861000-memory.dmp

          Filesize

          4KB

        • memory/2460-28-0x0000000000840000-0x0000000000841000-memory.dmp

          Filesize

          4KB

        • memory/2460-27-0x0000000000850000-0x0000000000851000-memory.dmp

          Filesize

          4KB

        • memory/2460-24-0x0000000000840000-0x0000000000841000-memory.dmp

          Filesize

          4KB

        • memory/2460-23-0x00000000005A0000-0x00000000005A1000-memory.dmp

          Filesize

          4KB

        • memory/2460-21-0x0000000000350000-0x0000000000351000-memory.dmp

          Filesize

          4KB

        • memory/2460-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2460-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2460-17-0x0000000000350000-0x0000000000351000-memory.dmp

          Filesize

          4KB

        • memory/2460-61-0x00000000002F0000-0x0000000000342000-memory.dmp

          Filesize

          328KB

        • memory/2460-62-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB