Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 04:38

General

  • Target

    2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe

  • Size

    202KB

  • MD5

    2afa3fb82767433fcfdc04d4d46f9ff4

  • SHA1

    497355a939bc7a04f303d05dfb046c5bd11857f1

  • SHA256

    df1ed1e0417dff924ed42f07f06aefdb8def643661c693ddeb7ec1bb63c255d6

  • SHA512

    3dcd05e35609fc163688562b8a8dd1bc9d9c6a67098b7db590d96324f063123ff23c5a0229c9a6f43d56308f80460d42b8f8113cc6d8a51275690dae94a13655

  • SSDEEP

    3072:Ya1qQA5osTfGOJdL3QkK5kOrcPI1Ze6TRkr8EuSzszR:YaM6sTJnLnIcPI1LTyuSz+R

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

boombangers00666999.sc/gate2233.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2afa3fb82767433fcfdc04d4d46f9ff4_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 552
      2⤵
      • Program crash
      PID:1820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3024 -ip 3024
    1⤵
      PID:4528

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE; domain=.bing.com; expires=Mon, 03-Nov-2025 14:17:18 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 608317AA00AC48D69C7EE350211E9B92 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
      date: Wed, 09 Oct 2024 14:17:18 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=82DNOZiM3IgrcM2LtwP_msT6BZjw0dNaumxbPe7uDXs; domain=.bing.com; expires=Mon, 03-Nov-2025 14:17:18 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: BE4788643936480FB628089E6000AFD7 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
      date: Wed, 09 Oct 2024 14:17:18 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=103EDB0E7ACD6CF01F2BCE1D7BCB6DDE; MSPTC=82DNOZiM3IgrcM2LtwP_msT6BZjw0dNaumxbPe7uDXs
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: EBFACE794B444DA99D3298AE43299670 Ref B: LON601060107062 Ref C: 2024-10-09T14:17:18Z
      date: Wed, 09 Oct 2024 14:17:18 GMT
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      14.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      98.117.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      98.117.19.2.in-addr.arpa
      IN PTR
      Response
      98.117.19.2.in-addr.arpa
      IN PTR
      a2-19-117-98deploystaticakamaitechnologiescom
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      tls, http2
      2.0kB
      9.3kB
      21
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      148 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      14.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      68.209.201.84.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      68.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      98.117.19.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      98.117.19.2.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3024-1-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/3024-2-0x0000000002170000-0x0000000002189000-memory.dmp

      Filesize

      100KB

    • memory/3024-3-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3024-4-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3024-5-0x0000000002170000-0x0000000002189000-memory.dmp

      Filesize

      100KB

    • memory/3024-6-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.