Overview

overview

7

Static

static

3

0842d0e432...18.exe

windows7-x64

7

0842d0e432...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 01:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0842d0e432180b0780236096c2189761_JaffaCakes118.exe

  • Size

    98KB

  • MD5

    0842d0e432180b0780236096c2189761

  • SHA1

    5ef71995386f2cb5a1f38667ec1422c4a9ee05d8

  • SHA256

    e848da375e3761f95d614daa86de4ffb531246915364a6b1f1e52514ee0a60e3

  • SHA512

    a031eb7f5fb3bebb66d5cbd561d3bec3e9798cc15eeaedfc259705483300416363d1e5355dea98742156adc768dd570d52d84702c8b78c643b8f2b2a7fcf30a6

  • SSDEEP

    1536:8klgA+WDngGwcljJPeKhhJUdnpcGUwkH0CJeUjrtWHLEg0KfVIuk:ZlT+W73fpJPeEhOpctwgjrtWHLrVVk

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0842d0e432180b0780236096c2189761_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wrf..bat" > nul 2> nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2384

Network

  • flag-us
    DNS
    bigshoeart.com
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    bigshoeart.com
    IN A
    Response
  • flag-us
    DNS
    bigshoeart.com
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    bigshoeart.com
    IN A
  • flag-us
    DNS
    houserockart.com
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    houserockart.com
    IN A
    Response
  • flag-us
    DNS
    greatartsales.com
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    greatartsales.com
    IN A
    Response
    greatartsales.com
    IN A
    216.239.36.21
    greatartsales.com
    IN A
    216.239.38.21
    greatartsales.com
    IN A
    216.239.34.21
    greatartsales.com
    IN A
    216.239.32.21
  • flag-us
    POST
    http://greatartsales.com/wd.php?w=v22MyGK1TdahDGVg6wYVFrs4P7C4ItRvPtBZGHN2eUlUCgOAhUHVyz31AlrHIQqMgMqV750TfwiBMF4bFG3zfIiRtufQpaX/MftqvO7plw==
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    Remote address:
    216.239.36.21:80
    Request
    POST /wd.php?w=v22MyGK1TdahDGVg6wYVFrs4P7C4ItRvPtBZGHN2eUlUCgOAhUHVyz31AlrHIQqMgMqV750TfwiBMF4bFG3zfIiRtufQpaX/MftqvO7plw== HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: greatartsales.com
    User-Agent: Mozilla/6.0 (Windows; wget 3.0)
    Content-Length: 101
    Connection: close
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 02 Oct 2024 01:31:06 GMT
    Content-Type: text/html; charset=UTF-8
    Server: ghs
    Content-Length: 1678
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Connection: close
  • 216.239.36.21:80
    http://greatartsales.com/wd.php?w=v22MyGK1TdahDGVg6wYVFrs4P7C4ItRvPtBZGHN2eUlUCgOAhUHVyz31AlrHIQqMgMqV750TfwiBMF4bFG3zfIiRtufQpaX/MftqvO7plw==
    http
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    697 B
     2.1kB
     6
    6

    HTTP Request

    POST http://greatartsales.com/wd.php?w=v22MyGK1TdahDGVg6wYVFrs4P7C4ItRvPtBZGHN2eUlUCgOAhUHVyz31AlrHIQqMgMqV750TfwiBMF4bFG3zfIiRtufQpaX/MftqvO7plw==

    HTTP Response

    404
  • 8.8.8.8:53
    bigshoeart.com
    dns
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    120 B
     133 B
     2
    1

    DNS Request

    bigshoeart.com

    DNS Request

    bigshoeart.com

  • 8.8.8.8:53
    houserockart.com
    dns
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    houserockart.com

  • 8.8.8.8:53
    greatartsales.com
    dns
    0842d0e432180b0780236096c2189761_JaffaCakes118.exe
    63 B
     127 B
     1
    1

    DNS Request

    greatartsales.com

    DNS Response

    216.239.36.21
    216.239.38.21
    216.239.34.21
    216.239.32.21

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Wrf..bat
    Filesize

    238B

    MD5

    ed961bc3e75b797a791ac2b0664aba08

    SHA1

    8866fc81db6d984f1f1c4cedfe4daa68071b88c7

    SHA256

    c0190bcaadf1c510ed0a38dac501d70b4a71dd9be17b547bb267272eb200860c

    SHA512

    5261928d8dd4904b0ecceb313befe517726cd17e6a4d25445c1840e2fab50e6277e5025ef72f5c58d3445155cd53974065e3f78c4f03ffce823aab8480f133aa

    Download Submit

  • memory/1644-0-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1644-1-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1644-3-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.