Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 23:58
Behavioral task
behavioral1
Sample
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
-
Size
535KB
-
MD5
3cb6a7288517a560ff1d380d8e8ebf50
-
SHA1
dda3e4cf1ee7638eb644bf5a6172b356a0aacb47
-
SHA256
a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b
-
SHA512
975d33ca1c97edd6232c8ac38f473b81c711465ea5d48059af4a2d245dd5e5a00aa32d39ed7bcf9580e9575de38a002d81e5f8a50dbc8d19d07ae8c83784fb13
-
SSDEEP
12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2E:cLjQC+bs0YOE
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2932 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
opolz.exeewije.exepid process 2228 opolz.exe 3024 ewije.exe -
Loads dropped DLL 2 IoCs
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exeopolz.exepid process 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe 2228 opolz.exe -
Processes:
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x000000000048B000-memory.dmp upx \Users\Admin\AppData\Local\Temp\opolz.exe upx behavioral1/memory/2228-10-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2824-17-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2228-20-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2228-27-0x0000000000400000-0x000000000048B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exeopolz.execmd.exeewije.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opolz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewije.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
ewije.exepid process 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe 3024 ewije.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exeopolz.exedescription pid process target process PID 2824 wrote to memory of 2228 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe opolz.exe PID 2824 wrote to memory of 2228 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe opolz.exe PID 2824 wrote to memory of 2228 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe opolz.exe PID 2824 wrote to memory of 2228 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe opolz.exe PID 2824 wrote to memory of 2932 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2932 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2932 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2932 2824 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 3024 2228 opolz.exe ewije.exe PID 2228 wrote to memory of 3024 2228 opolz.exe ewije.exe PID 2228 wrote to memory of 3024 2228 opolz.exe ewije.exe PID 2228 wrote to memory of 3024 2228 opolz.exe ewije.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\opolz.exe"C:\Users\Admin\AppData\Local\Temp\opolz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\ewije.exe"C:\Users\Admin\AppData\Local\Temp\ewije.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5f3ab88fe91ac7fa730e72c91aa008dc9
SHA1f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26
SHA2562db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470
SHA5128045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec
-
Filesize
512B
MD560ece94363e293c773216553e4292ffe
SHA1e23c299e421676987313ab6411a56745462fe30c
SHA2567cff9cd5ae108273a5fa0cfc9b3f9db123e5116f3bbac1d7c61622a21631ba87
SHA5128fbfa936a4b71337e27a40ef511d9a60d7b3f59c487a414748da730b7a476d131fd78c62d3f72bf08ae004ab28321c16bd056f4a7a438619063685726dfa74e1
-
Filesize
241KB
MD542b221d6cf6e6993ef88af0574f4a9b9
SHA198d682267cc8e0ebbb30d34eec518aab6e4c0d40
SHA256c7c0eee9bc9afae84f93f8b46960aea8db727f7add056f319f3e04dcb36df386
SHA512fc4bfd5a5036e23f76a9bea419fc60ef367825796126f31f7749568c2962d180231d76aae4b227183c94906efdbb700da79f65839c76ab58e803476d086ad5f4
-
Filesize
535KB
MD51ccf894f902c995c9dd34781c4971741
SHA1dc601f4ab065c962100aec52a8014f26ebe8544f
SHA256e9a6546ad03c4ecbc7eef3f7b0be21c71253fd3c02d7dcd7508e692c4903cbe9
SHA512c8ce96a81817fcf630cccc6bb436492820002410da533d16c0bafda19eed4f9b7de73ca9fc09373f0fa6b48745ad812a504f022aa833e9a6c511b6a1e2e301c5