Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 14:58
Behavioral task
behavioral1
Sample
0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
-
Size
556KB
-
MD5
0b3f3727e4ff399c04d918e84761c4ee
-
SHA1
f044622ff9ad3df393e9f34470cf8c8e74069fae
-
SHA256
d630d84bc7c584e375ff075dc2b07d9f564614e07ae2031a3ac7e9c490bae4bc
-
SHA512
f3faf599381cc5cb4ef0310dc6bf16fc0cb54b9209b0a13342b932ec94cfe0b4b5f9c0052290fb1dbfc5a44144558ff30ce3182588ba24881da9fc19e6003068
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2696 jaijf.exe 1956 iropz.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 2696 jaijf.exe -
resource yara_rule behavioral1/memory/1900-18-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/files/0x0032000000016d04-9.dat upx behavioral1/memory/2696-17-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/1900-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2696-21-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2696-29-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaijf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iropz.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe 1956 iropz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2696 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2696 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2696 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2696 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2704 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2704 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2704 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2704 1900 0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe 31 PID 2696 wrote to memory of 1956 2696 jaijf.exe 33 PID 2696 wrote to memory of 1956 2696 jaijf.exe 33 PID 2696 wrote to memory of 1956 2696 jaijf.exe 33 PID 2696 wrote to memory of 1956 2696 jaijf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\jaijf.exe"C:\Users\Admin\AppData\Local\Temp\jaijf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\iropz.exe"C:\Users\Admin\AppData\Local\Temp\iropz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5e06089973a4e477cf76135266c39dc54
SHA110ca4d3ae94a197ae8b5a29ac1cddac774fdf437
SHA256044dcd737cbaf01b0d0fda2bf2baaccdc4bd06642ce9ee7fa28f869e5d4c3757
SHA5128a72307a04ac7de9a92cecf1944f3ac1f28d36bbabf39e8751ba4ccab470fb89f38892cca8f7824e83f55de6f9e87e6f4fb45c4cfb172a1eefa8b7a519c7e1ef
-
Filesize
512B
MD57eab4d129b1b9069352b51c1ca39ac27
SHA1d636fada9e93a4616ee554cac9e6cfc3f5712996
SHA25697d7c2dfeb65adce1f306b4cbbf0a3042013a9cda1c9e70d947d224d86e26234
SHA5129fb18ff4575b483b7637a5ea93b19f04e95568dd010d7291a885d1098c8a702c41838e78aee0c32be1f6bc3e5a94c75fb71e07f5e1430ac25b9401b67f39031a
-
Filesize
556KB
MD59d5644e0474395989b947cf89c92171c
SHA12d3283f423746ac703256e8c2fa08ff10765094b
SHA2563842ba09d72e551dcd3728fde39e5761b3bb7fb2c94d99bdf66b104c96a8253c
SHA512e6ac8768a8f9349b46d60f895e02597f41e325a5c751a61f24ff2754a47e42003775a90ecc23f3bec1b478f4523b1295b9ddf2ba12aed845fe25cc138cb2b019
-
Filesize
194KB
MD54388c4430dba6ac9e2647c15fc9c157c
SHA1cfe6c3af4deb48334146b41cda64a824969375d8
SHA2567d45e0eb3e60fcfe5ea3134b20977f31e5f1c5a18e7789c3ac79c755cca48a18
SHA51294d59b71fcd5dda22ab675cdd42cc5b0ef96aa83aacc2ced0769b42bc5494c201a5b58c7b06c5ebad14a0680bb43eef3c0d37083cdd1b96d4b30b7f6455f180c