89bb1f9efa68539b8ef29f833ed379535649e7a3f1645255e567921e396cc5ba

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 21:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe
Size

15KB
MD5

109b14650a1d0f7213029619ba7f3cb9
SHA1

d12076fbfca72ffd76a94ce6fd17f80728310603
SHA256

89bb1f9efa68539b8ef29f833ed379535649e7a3f1645255e567921e396cc5ba
SHA512

5dd10af5eee7131097c548a4e71d7fd47fdb646a7ade5246638c5d3bdd8e3788dcc37db177fb1cf6491bd43adc43161fc6450f556f3c06637b18afd9b78c3dba
SSDEEP

384:wBbbcqKdv1aGuIFm3UGtTk8mm2bN0U0ofZS2YPMX:a3Kdv15OkGeuiS2YPM

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1948	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	ld09.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld09.exe"	ld09.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2112-19-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2528-20-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x00080000000173fb-17.dat	upx
behavioral1/memory/2528-22-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld09.exe	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe
File created	\??\c:\windows\ld09.exe	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ld09.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2528	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	30
PID 2112 wrote to memory of 1948	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1948	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1948	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1948	2112	109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109b14650a1d0f7213029619ba7f3cb9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- \??\c:\windows\ld09.exe
  c:\windows\ld09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\d45.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1948

Network

DNS

www.google.com

ld09.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

216.58.204.68
GET

http://www.google.com/

ld09.exe

Remote address:

216.58.204.68:80

Request

GET / HTTP/1.0
Host: www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1.7601 Service Pack 1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close

Response

HTTP/1.0 302 Found

Location: https://www.google.com/?gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-i0aV6UUb5lb5jewa1GOuBA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 03 Oct 2024 21:42:53 GMT
Server: gws
Content-Length: 231
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cq3rjXGiC_mbm30MgFfLpUYjZ_nGvjztjZcIB0IiKDhjJf4hiCMXgU; expires=Tue, 01-Apr-2025 21:42:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
DNS

upr15may.com

ld09.exe

Remote address:

8.8.8.8:53

Request

upr15may.com

IN A

Response
DNS

er20090515.com

ld09.exe

Remote address:

8.8.8.8:53

Request

er20090515.com

IN A

Response
DNS

uprtrishest.com

ld09.exe

Remote address:

8.8.8.8:53

Request

uprtrishest.com

IN A

Response
DNS

trisem.com

ld09.exe

Remote address:

8.8.8.8:53

Request

trisem.com

IN A

Response

trisem.com

IN A

185.53.178.51
POST

http://trisem.com/achcheck.php

ld09.exe

Remote address:

185.53.178.51:80

Request

POST /achcheck.php HTTP/1.0
Host: trisem.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1.7601 Service Pack 1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 03 Oct 2024 21:43:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Redirect: skenzo
X-Buckets: bucket102
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_hCAQuu80gY8x9uXIhVclcT+dSEdxC8al2KotA0W1CyBEgUuQwNSgNL5dIHrcmpG8xXthfy7AX9Cv5l2Jy60ZHQ==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Pcrew-Ip-Organization: Datacamp
X-Pcrew-Blocked-Reason: hosting network
X-Domain: trisem.com
X-Subdomain:
DNS

rd040609-cgpay.net

ld09.exe

Remote address:

8.8.8.8:53

Request

rd040609-cgpay.net

IN A

Response
DNS

upr0306.com

ld09.exe

Remote address:

8.8.8.8:53

Request

upr0306.com

IN A

Response
DNS

lastshanse26032009.com

ld09.exe

Remote address:

8.8.8.8:53

Request

lastshanse26032009.com

IN A

Response

216.58.204.68:80

http://www.google.com/

http

ld09.exe

486 B
1.1kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
185.53.178.51:80

http://trisem.com/achcheck.php

http

ld09.exe

560 B
3.5kB
6
8

HTTP Request

POST http://trisem.com/achcheck.php

HTTP Response

200

8.8.8.8:53

www.google.com

dns

ld09.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

216.58.204.68
8.8.8.8:53

upr15may.com

dns

ld09.exe

58 B
131 B
1
1

DNS Request

upr15may.com
8.8.8.8:53

er20090515.com

dns

ld09.exe

60 B
133 B
1
1

DNS Request

er20090515.com
8.8.8.8:53

uprtrishest.com

dns

ld09.exe

61 B
134 B
1
1

DNS Request

uprtrishest.com
8.8.8.8:53

trisem.com

dns

ld09.exe

56 B
72 B
1
1

DNS Request

trisem.com

DNS Response

185.53.178.51
8.8.8.8:53

rd040609-cgpay.net

dns

ld09.exe

64 B
137 B
1
1

DNS Request

rd040609-cgpay.net
8.8.8.8:53

upr0306.com

dns

ld09.exe

57 B
130 B
1
1

DNS Request

upr0306.com
8.8.8.8:53

lastshanse26032009.com

dns

ld09.exe

68 B
141 B
1
1

DNS Request

lastshanse26032009.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ld09.exe

Filesize
15KB

MD5
109b14650a1d0f7213029619ba7f3cb9

SHA1
d12076fbfca72ffd76a94ce6fd17f80728310603

SHA256
89bb1f9efa68539b8ef29f833ed379535649e7a3f1645255e567921e396cc5ba

SHA512
5dd10af5eee7131097c548a4e71d7fd47fdb646a7ade5246638c5d3bdd8e3788dcc37db177fb1cf6491bd43adc43161fc6450f556f3c06637b18afd9b78c3dba

Download Submit
C:\d45.bat

Filesize
263B

MD5
a00a319e17bb60b441e9ced656d8a143

SHA1
bf201368ce5719c21f139bc41192a35453e2e2c2

SHA256
693e3d3523ce2f3726e0b04eb15c85751247dfa6390e89b1b1a1c8168d23f9fb

SHA512
df598ce857a8afcbcb0c99b085d66c0dfce41e9ce8b26bba6e988c7f1d3fea313cb225179305e1ec4cb40e9ff6b7d78cda5c2f4c6a84b04ab5a6ecce4601a3a0

Download Submit
memory/2112-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2112-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2112-16-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/2528-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2528-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.