Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
General
-
Target
2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe
-
Size
202KB
-
MD5
2afa3fb82767433fcfdc04d4d46f9ff4
-
SHA1
497355a939bc7a04f303d05dfb046c5bd11857f1
-
SHA256
df1ed1e0417dff924ed42f07f06aefdb8def643661c693ddeb7ec1bb63c255d6
-
SHA512
3dcd05e35609fc163688562b8a8dd1bc9d9c6a67098b7db590d96324f063123ff23c5a0229c9a6f43d56308f80460d42b8f8113cc6d8a51275690dae94a13655
-
SSDEEP
3072:Ya1qQA5osTfGOJdL3QkK5kOrcPI1Ze6TRkr8EuSzszR:YaM6sTJnLnIcPI1LTyuSz+R
Malware Config
Extracted
Family
arkei
Botnet
Default
C2
boombangers00666999.sc/gate2233.php
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1820 3024 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 5522⤵
- Program crash
PID:1820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3024 -ip 30241⤵PID:4528
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE; domain=.bing.com; expires=Mon, 03-Nov-2025 14:17:18 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 608317AA00AC48D69C7EE350211E9B92 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
date: Wed, 09 Oct 2024 14:17:18 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=82DNOZiM3IgrcM2LtwP_msT6BZjw0dNaumxbPe7uDXs; domain=.bing.com; expires=Mon, 03-Nov-2025 14:17:18 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BE4788643936480FB628089E6000AFD7 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
date: Wed, 09 Oct 2024 14:17:18 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE; MSPTC=82DNOZiM3IgrcM2LtwP_msT6BZjw0dNaumxbPe7uDXs
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EBFACE794B444DA99D3298AE43299670 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
date: Wed, 09 Oct 2024 14:17:18 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request98.117.19.2.in-addr.arpaIN PTRResponse98.117.19.2.in-addr.arpaIN PTRa2-19-117-98deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=tls, http22.0kB 9.3kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
68.209.201.84.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
98.117.19.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa