Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
-
Size
245KB
-
MD5
3e8f76bdbaf6fb9df9c185132ea39efb
-
SHA1
445fd07b7655ff39eb6af2d694023069434b97b9
-
SHA256
2a48b546a737d014e9c092dd5f4cd839d3c7dda9c3df42af05ffb8006447703f
-
SHA512
8c68fd46e9d1a3c96445fbe7ac3b8c8f249bcd0d44c7bf1d5652ea0d4331b22f360f589909d1f2047ce01e15e0ad35c4d1f4fca077d21eec97a839bcbdb4cdb6
-
SSDEEP
3072:UI7cDflgimvmH5NdI1uDRZij9194M1EuLAGg7oH/U1Ph0EkSe9V0NkUEj:UWcTycZNdx7Kv94WvQLkSeb
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1820 3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
Processes
Network
-
Remote address:188.127.231.116:80RequestPOST /main.php HTTP/1.1
Host: 188.127.231.116
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 307 Temporary Redirect
Date: Sun, 13 Oct 2024 07:30:39 GMT
Content-Length: 0
-
Remote address:51.254.181.122:80RequestPOST /main.php HTTP/1.1
Host: 51.254.181.122
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.2.15 (CentOS)
Content-Length: 286
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
Remote address:8.8.8.8:53Requestesrfprtivm.euIN AResponseesrfprtivm.euIN A162.249.64.246
-
Remote address:8.8.8.8:53Requestgmaqdxmq.usIN AResponse
-
Remote address:8.8.8.8:53Requestprvcgr.frIN AResponse
-
Remote address:8.8.8.8:53Requestdwfufsuosonrvw.euIN AResponsedwfufsuosonrvw.euIN A162.249.64.246
-
Remote address:8.8.8.8:53Requestmuanvdocbcot.tfIN AResponse
-
Remote address:8.8.8.8:53Requestheedsdhii.pmIN AResponse
-
Remote address:8.8.8.8:53Requestjfmtjka.ruIN AResponse
-
Remote address:8.8.8.8:53Requestsdajt.tfIN AResponse
-
Remote address:188.127.231.116:80RequestPOST /main.php HTTP/1.1
Host: 188.127.231.116
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 307 Temporary Redirect
Date: Sun, 13 Oct 2024 07:32:17 GMT
Content-Length: 0
-
Remote address:51.254.181.122:80RequestPOST /main.php HTTP/1.1
Host: 51.254.181.122
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.2.15 (CentOS)
Content-Length: 286
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
152 B 120 B 3 3
-
188.127.231.116:80http://188.127.231.116/main.phphttp3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe772 B 547 B 12 10
HTTP Request
POST http://188.127.231.116/main.phpHTTP Response
307 -
51.254.181.122:80http://51.254.181.122/main.phphttp3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe449 B 678 B 5 5
HTTP Request
POST http://51.254.181.122/main.phpHTTP Response
404 -
152 B 3
-
152 B 3
-
152 B 3
-
152 B 80 B 3 2
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
188.127.231.116:80http://188.127.231.116/main.phphttp3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe450 B 307 B 5 4
HTTP Request
POST http://188.127.231.116/main.phpHTTP Response
307 -
51.254.181.122:80http://51.254.181.122/main.phphttp3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe449 B 678 B 5 5
HTTP Request
POST http://51.254.181.122/main.phpHTTP Response
404 -
152 B 3
-
59 B 75 B 1 1
DNS Request
esrfprtivm.eu
DNS Response
162.249.64.246
-
57 B 120 B 1 1
DNS Request
gmaqdxmq.us
-
55 B 113 B 1 1
DNS Request
prvcgr.fr
-
63 B 79 B 1 1
DNS Request
dwfufsuosonrvw.eu
DNS Response
162.249.64.246
-
61 B 121 B 1 1
DNS Request
muanvdocbcot.tf
-
58 B 118 B 1 1
DNS Request
heedsdhii.pm
-
56 B 117 B 1 1
DNS Request
jfmtjka.ru
-
54 B 114 B 1 1
DNS Request
sdajt.tf