Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 07:30

General

  • Target

    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe

  • Size

    245KB

  • MD5

    3e8f76bdbaf6fb9df9c185132ea39efb

  • SHA1

    445fd07b7655ff39eb6af2d694023069434b97b9

  • SHA256

    2a48b546a737d014e9c092dd5f4cd839d3c7dda9c3df42af05ffb8006447703f

  • SHA512

    8c68fd46e9d1a3c96445fbe7ac3b8c8f249bcd0d44c7bf1d5652ea0d4331b22f360f589909d1f2047ce01e15e0ad35c4d1f4fca077d21eec97a839bcbdb4cdb6

  • SSDEEP

    3072:UI7cDflgimvmH5NdI1uDRZij9194M1EuLAGg7oH/U1Ph0EkSe9V0NkUEj:UWcTycZNdx7Kv94WvQLkSeb

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1820

Network

  • flag-ru
    POST
    http://188.127.231.116/main.php
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    188.127.231.116:80
    Request
    POST /main.php HTTP/1.1
    Host: 188.127.231.116
    Content-Length: 100
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 307 Temporary Redirect
    Location: https://188.127.231.116/main.php
    Date: Sun, 13 Oct 2024 07:30:39 GMT
    Content-Length: 0
  • flag-fr
    POST
    http://51.254.181.122/main.php
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    51.254.181.122:80
    Request
    POST /main.php HTTP/1.1
    Host: 51.254.181.122
    Content-Length: 100
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 13 Oct 2024 07:26:49 GMT
    Server: Apache/2.2.15 (CentOS)
    Content-Length: 286
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    esrfprtivm.eu
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    esrfprtivm.eu
    IN A
    Response
    esrfprtivm.eu
    IN A
    162.249.64.246
  • flag-us
    DNS
    gmaqdxmq.us
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    gmaqdxmq.us
    IN A
    Response
  • flag-us
    DNS
    prvcgr.fr
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    prvcgr.fr
    IN A
    Response
  • flag-us
    DNS
    dwfufsuosonrvw.eu
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    dwfufsuosonrvw.eu
    IN A
    Response
    dwfufsuosonrvw.eu
    IN A
    162.249.64.246
  • flag-us
    DNS
    muanvdocbcot.tf
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    muanvdocbcot.tf
    IN A
    Response
  • flag-us
    DNS
    heedsdhii.pm
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    heedsdhii.pm
    IN A
    Response
  • flag-us
    DNS
    jfmtjka.ru
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    jfmtjka.ru
    IN A
    Response
  • flag-us
    DNS
    sdajt.tf
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    sdajt.tf
    IN A
    Response
  • flag-ru
    POST
    http://188.127.231.116/main.php
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    188.127.231.116:80
    Request
    POST /main.php HTTP/1.1
    Host: 188.127.231.116
    Content-Length: 100
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 307 Temporary Redirect
    Location: https://188.127.231.116/main.php
    Date: Sun, 13 Oct 2024 07:32:17 GMT
    Content-Length: 0
  • flag-fr
    POST
    http://51.254.181.122/main.php
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    Remote address:
    51.254.181.122:80
    Request
    POST /main.php HTTP/1.1
    Host: 51.254.181.122
    Content-Length: 100
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 13 Oct 2024 07:28:27 GMT
    Server: Apache/2.2.15 (CentOS)
    Content-Length: 286
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • 149.202.109.205:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    120 B
    3
    3
  • 188.127.231.116:80
    http://188.127.231.116/main.php
    http
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    772 B
    547 B
    12
    10

    HTTP Request

    POST http://188.127.231.116/main.php

    HTTP Response

    307
  • 51.254.181.122:80
    http://51.254.181.122/main.php
    http
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    449 B
    678 B
    5
    5

    HTTP Request

    POST http://51.254.181.122/main.php

    HTTP Response

    404
  • 195.64.154.114:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    3
  • 78.40.108.39:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    3
  • 91.195.12.187:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    3
  • 162.249.64.246:80
    esrfprtivm.eu
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    80 B
    3
    2
  • 162.249.64.246:80
    dwfufsuosonrvw.eu
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    120 B
    3
    3
  • 149.202.109.205:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    120 B
    3
    3
  • 188.127.231.116:80
    http://188.127.231.116/main.php
    http
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    450 B
    307 B
    5
    4

    HTTP Request

    POST http://188.127.231.116/main.php

    HTTP Response

    307
  • 51.254.181.122:80
    http://51.254.181.122/main.php
    http
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    449 B
    678 B
    5
    5

    HTTP Request

    POST http://51.254.181.122/main.php

    HTTP Response

    404
  • 195.64.154.114:80
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    152 B
    3
  • 8.8.8.8:53
    esrfprtivm.eu
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    59 B
    75 B
    1
    1

    DNS Request

    esrfprtivm.eu

    DNS Response

    162.249.64.246

  • 8.8.8.8:53
    gmaqdxmq.us
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    57 B
    120 B
    1
    1

    DNS Request

    gmaqdxmq.us

  • 8.8.8.8:53
    prvcgr.fr
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    55 B
    113 B
    1
    1

    DNS Request

    prvcgr.fr

  • 8.8.8.8:53
    dwfufsuosonrvw.eu
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    63 B
    79 B
    1
    1

    DNS Request

    dwfufsuosonrvw.eu

    DNS Response

    162.249.64.246

  • 8.8.8.8:53
    muanvdocbcot.tf
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    61 B
    121 B
    1
    1

    DNS Request

    muanvdocbcot.tf

  • 8.8.8.8:53
    heedsdhii.pm
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    58 B
    118 B
    1
    1

    DNS Request

    heedsdhii.pm

  • 8.8.8.8:53
    jfmtjka.ru
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    56 B
    117 B
    1
    1

    DNS Request

    jfmtjka.ru

  • 8.8.8.8:53
    sdajt.tf
    dns
    3e8f76bdbaf6fb9df9c185132ea39efb_JaffaCakes118.exe
    54 B
    114 B
    1
    1

    DNS Request

    sdajt.tf

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1820-0-0x00000000012A2000-0x00000000012A4000-memory.dmp

    Filesize

    8KB

  • memory/1820-1-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-2-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-4-0x00000000012A2000-0x00000000012A4000-memory.dmp

    Filesize

    8KB

  • memory/1820-5-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-7-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-8-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-10-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-13-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-15-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-16-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-17-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-18-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

  • memory/1820-19-0x0000000001290000-0x00000000012D2000-memory.dmp

    Filesize

    264KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.