Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 09:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe
-
Size
556KB
-
MD5
171be7aef2096296d63bfc961f5ec5d3
-
SHA1
48643535ce7e4d762d3e0bdb7e28ecc12f4fcf4e
-
SHA256
ac9fcd17a86e8b3bfa031ddd3fea5e3c07d21146347924f6f55c2433c1194642
-
SHA512
f0757e8f6dcb79dde5375d3d6ef7a884601ee07f5aa0d3049905935efb4fe9285dd55a511bd565c9a8a63285e925de151099fe72ba05a71bdc7c1174c5cfdde4
-
SSDEEP
12288:R7O3sqPO5kw14/18361HSRUl1ptOyCvIlaG9FnV6I3SNgB:Z2ssOSwDq1HSRUXLDlBV6kSy
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestmicrosoft.comIN AResponsemicrosoft.comIN A20.76.201.171microsoft.comIN A20.236.44.162microsoft.comIN A20.112.250.133microsoft.comIN A20.231.239.246microsoft.comIN A20.70.246.20
-
Remote address:8.8.8.8:53Requestnewtimedescriptor.comIN AResponse
-
Remote address:8.8.8.8:53Requestradiovaweonearch.comIN AResponse
-
Remote address:8.8.8.8:53Requestkinstelertiong.comIN AResponse
-
Remote address:8.8.8.8:53Requestfwnaopz.bizIN AResponse
-
Remote address:8.8.8.8:53Requestilfrgbqcr.comIN AResponse
-
Remote address:8.8.8.8:53Requestdxzqgzr.infoIN AResponse
-
Remote address:8.8.8.8:53Requestggtlznwnu.bizIN AResponse
-
Remote address:8.8.8.8:53Requestjbkfrto.netIN AResponse
-
Remote address:8.8.8.8:53Requestblvapvm.infoIN AResponse
-
Remote address:8.8.8.8:53Requesthrbbuoqyjv.orgIN AResponsehrbbuoqyjv.orgIN A216.218.185.162
-
POSThttp://hrbbuoqyjv.org/vWL6pC?sMKrIOTbylHyab=qIsJbfhwArXYmuWKj&CRpfCKGmHyE=MiRDRLqmCnRlvkb171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exeRemote address:216.218.185.162:80RequestPOST /vWL6pC?sMKrIOTbylHyab=qIsJbfhwArXYmuWKj&CRpfCKGmHyE=MiRDRLqmCnRlvkb HTTP/1.1
Host: hrbbuoqyjv.org
Content-Length: 65
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 09:25:58 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close
-
216.218.185.162:80http://hrbbuoqyjv.org/vWL6pC?sMKrIOTbylHyab=qIsJbfhwArXYmuWKj&CRpfCKGmHyE=MiRDRLqmCnRlvkbhttp171be7aef2096296d63bfc961f5ec5d3_JaffaCakes118.exe1.6kB 1.1kB 22 21
HTTP Request
POST http://hrbbuoqyjv.org/vWL6pC?sMKrIOTbylHyab=qIsJbfhwArXYmuWKj&CRpfCKGmHyE=MiRDRLqmCnRlvkbHTTP Response
200
-
59 B 139 B 1 1
DNS Request
microsoft.com
DNS Response
20.76.201.17120.236.44.16220.112.250.13320.231.239.24620.70.246.20
-
67 B 140 B 1 1
DNS Request
newtimedescriptor.com
-
66 B 139 B 1 1
DNS Request
radiovaweonearch.com
-
64 B 137 B 1 1
DNS Request
kinstelertiong.com
-
57 B 119 B 1 1
DNS Request
fwnaopz.biz
-
59 B 132 B 1 1
DNS Request
ilfrgbqcr.com
-
58 B 137 B 1 1
DNS Request
dxzqgzr.info
-
59 B 121 B 1 1
DNS Request
ggtlznwnu.biz
-
57 B 130 B 1 1
DNS Request
jbkfrto.net
-
58 B 137 B 1 1
DNS Request
blvapvm.info
-
60 B 76 B 1 1
DNS Request
hrbbuoqyjv.org
DNS Response
216.218.185.162