Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 00:42

General

  • Target

    eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe

  • Size

    162KB

  • MD5

    eec01efbbe0b7fda3816af7957024ff9

  • SHA1

    63270a6182ba640a5cb6141fc6daabea1e2c1959

  • SHA256

    45b2c7845f0ec06024b00543bbd17c008989a1361cdc50e7de40370232b9b628

  • SHA512

    d87cb29262d710e25aba7d782ba0917882daf92810f1cf73b27600b39c25e951cb5978d59a419b237b756dbfbc0f05fa0a185f7b5876d7a52bec5f70d8cf15f5

  • SSDEEP

    3072:kkqseZj6FzYj+A3FBlLzhMgJCyNZn5g8JEfqcS+vhsP75w28NHSqstaEVG:v8j6FzY/RLzpNZn5gPq5+OPtwufta

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe startC:\Program Files (x86)\LP\6105\473.exe%C:\Program Files (x86)\LP\6105
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3084
    • C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe startC:\Program Files (x86)\93ADD\lvvm.exe%C:\Program Files (x86)\93ADD
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1272
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
    1⤵
      PID:1140

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      012webpages.com
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      012webpages.com
      IN A
      Response
      012webpages.com
      IN A
      103.27.200.238
    • flag-th
      GET
      http://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      103.27.200.238:80
      Request
      GET /christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
      Connection: close
      Host: 012webpages.com
      Accept: */*
      User-Agent: chrome/9.0
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Sat, 21 Sep 2024 00:42:53 GMT
      Content-Type: text/html
      Content-Length: 166
      Connection: close
      Location: http://www.012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D
      Server: Nginx_Rc-Cr
      etag: on
    • flag-us
      DNS
      238.200.27.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      238.200.27.103.in-addr.arpa
      IN PTR
      Response
      238.200.27.103.in-addr.arpa
      IN PTR
      th238ruk-cominth
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      regfeedbackaccess.com
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      regfeedbackaccess.com
      IN A
      Response
    • flag-us
      DNS
      renamesys5.com
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      renamesys5.com
      IN A
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      renamesys5.com
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      renamesys5.com
      IN A
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.google.com
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      www.google.com
      IN A
      Response
      www.google.com
      IN A
      172.217.169.4
    • flag-gb
      GET
      http://www.google.com/
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      172.217.169.4:80
      Request
      GET / HTTP/1.0
      Connection: close
      Host: www.google.com
      Accept: */*
      Response
      HTTP/1.0 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      x-hallmonitor-challenge: CgwIya24twYQtsmm4QESBMJuDUY
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-NkUr1Scfn-L7lHPCotx_tQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      Date: Sat, 21 Sep 2024 00:43:53 GMT
      Server: gws
      Content-Length: 396
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: AEC=AVYB7cqVOvUMhfgcBaL9I8sVV3_Nv3lkAeXZL-RK95RRyXWkpepz8ugFvCA; expires=Thu, 20-Mar-2025 00:43:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    • flag-gb
      GET
      http://www.google.com/
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      172.217.169.4:80
      Request
      GET / HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      x-hallmonitor-challenge: CgsIyq24twYQ3-ToAxIEwm4NRg
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-9vyNQxkRdFAeQlg2ahXV9g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      Date: Sat, 21 Sep 2024 00:43:54 GMT
      Server: gws
      Content-Length: 396
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: AEC=AVYB7cqjSP8j2uHDSk98fr2GzQBTiDGM1nnz7jNkhp0Crjfe43Or6SUm8g; expires=Thu, 20-Mar-2025 00:43:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
      Connection: close
    • flag-gb
      GET
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      Remote address:
      172.217.169.4:80
      Request
      GET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Sat, 21 Sep 2024 00:43:54 GMT
      Pragma: no-cache
      Expires: Fri, 01 Jan 1990 00:00:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Content-Type: text/html
      Server: HTTP server (unknown)
      Content-Length: 3052
      X-XSS-Protection: 0
      Connection: close
    • flag-us
      DNS
      4.169.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.169.217.172.in-addr.arpa
      IN PTR
      Response
      4.169.217.172.in-addr.arpa
      IN PTR
      lhr25s26-in-f41e100net
    • 103.27.200.238:80
      http://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D
      http
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      388 B
      641 B
      5
      5

      HTTP Request

      GET http://012webpages.com/christian14.jpg?pr=gHZutDyMv5rJfCG1J8K%2B1MWCJbP4lltXIA%3D%3D

      HTTP Response

      301
    • 127.0.0.1:58667
    • 172.217.169.4:80
      http://www.google.com/
      http
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      302 B
      1.5kB
      5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 127.0.0.1:58667
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
    • 172.217.169.4:80
      http://www.google.com/
      http
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      307 B
      1.5kB
      5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 172.217.169.4:80
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      http
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      526 B
      3.6kB
      6
      7

      HTTP Request

      GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMmtuLcGIjCKz9fCktDJEEfyJPL-x8dYHJHyECOWSgxdR7h8g1fXH61MTuuJjYZhCzQqlVsXrscyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

      HTTP Response

      429
    • 127.0.0.1:58667
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
    • 127.0.0.1:58667
    • 127.0.0.1:58667
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      012webpages.com
      dns
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      61 B
      77 B
      1
      1

      DNS Request

      012webpages.com

      DNS Response

      103.27.200.238

    • 224.0.0.251:5353
      112 B
      2
    • 8.8.8.8:53
      238.200.27.103.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      238.200.27.103.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      regfeedbackaccess.com
      dns
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      67 B
      140 B
      1
      1

      DNS Request

      regfeedbackaccess.com

    • 8.8.8.8:53
      renamesys5.com
      dns
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      60 B
      133 B
      1
      1

      DNS Request

      renamesys5.com

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      renamesys5.com
      dns
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      60 B
      133 B
      1
      1

      DNS Request

      renamesys5.com

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      www.google.com
      dns
      eec01efbbe0b7fda3816af7957024ff9_JaffaCakes118.exe
      60 B
      76 B
      1
      1

      DNS Request

      www.google.com

      DNS Response

      172.217.169.4

    • 8.8.8.8:53
      4.169.217.172.in-addr.arpa
      dns
      72 B
      110 B
      1
      1

      DNS Request

      4.169.217.172.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\50593\3ADD.059

      Filesize

      1KB

      MD5

      0f2c86bae2f5617e0e47a4f8ebbef206

      SHA1

      840379d071f858992d7f3eb9bb3f0ebdaa19519f

      SHA256

      f18df6bfc3c0fe7529af4de64dd6e7324002a79610ab44534df2be17c49b7650

      SHA512

      6e258a80c8a4856a861bc3896680330b5436c5d3707f39e5196385c8f66557a9ed1ec0d241c025e460365fda00afb6ea4f5d57956cb216134946708ba43d0387

    • C:\Users\Admin\AppData\Roaming\50593\3ADD.059

      Filesize

      600B

      MD5

      24a330fea5149c38c9a854a459b05cd0

      SHA1

      d7a40188cd3a7d4a9e71f273e5d6a786f6e0a253

      SHA256

      fc251b86d0cdf02ec39b4744dd375e7647d90f52a7ccc4b41d1e171e44daa9c6

      SHA512

      3a89e3b0e545f4cc938a3f7ab7766efc9e6ead49f3e54cf84a9569a998be26feb50e4a8cb162f6235dfd301737945c0bb6cf2b5bccdddeb980a3e45cd1e90dca

    • C:\Users\Admin\AppData\Roaming\50593\3ADD.059

      Filesize

      996B

      MD5

      c82169b3edcbcf463606fe4ec0e20d89

      SHA1

      fa1b24f38d80c181a2bac5e3f94fd6c368e101aa

      SHA256

      d4dcd80183696a1721f9340cba9d0c5769d263710454961bff2c2e804362f129

      SHA512

      a16ef847c158993717d961bcbc1d0ae38aef85297d47a998fcd964615516016c62bf4de1c1b1b3ac016fad95a6c6fd2248f07bb36bed1bc212d6ac0f4ddde4be

    • memory/1272-86-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/1272-84-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/3084-12-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/3084-15-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/3084-13-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/4924-17-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/4924-16-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/4924-1-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/4924-87-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/4924-2-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    • memory/4924-179-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.