Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 18:07
Behavioral task
behavioral1
Sample
4150869444302f78451b1d4834933554_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
4150869444302f78451b1d4834933554_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4150869444302f78451b1d4834933554
-
SHA1
7767ed14ff5aa6d9554665ac52994bdfb90b6dd9
-
SHA256
ff7d56c1a7efc795cbd031c054dedfe8fa354a370b212a8a8e10be62d263cad0
-
SHA512
4a4dba2b633b6902bfd07a56679c2d97123b56431aecbd97edfb8b49c42f2789e05a04aaeb9abf03381ff1349f08ac456bfb82276065fe4fdc6c9f152694b437
-
SSDEEP
12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YN:tcykpY5852j6aJGl5cqBA
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3024 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
rekaw.exekoivwe.exekuuqw.exepid process 1888 rekaw.exe 2964 koivwe.exe 1652 kuuqw.exe -
Loads dropped DLL 5 IoCs
Processes:
4150869444302f78451b1d4834933554_JaffaCakes118.exerekaw.exekoivwe.exepid process 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe 1888 rekaw.exe 1888 rekaw.exe 2964 koivwe.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\kuuqw.exe upx behavioral1/memory/1652-54-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/1652-59-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
koivwe.exekuuqw.execmd.exe4150869444302f78451b1d4834933554_JaffaCakes118.exerekaw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language koivwe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kuuqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4150869444302f78451b1d4834933554_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rekaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
kuuqw.exepid process 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe 1652 kuuqw.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4150869444302f78451b1d4834933554_JaffaCakes118.exerekaw.exekoivwe.exedescription pid process target process PID 3012 wrote to memory of 1888 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe rekaw.exe PID 3012 wrote to memory of 1888 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe rekaw.exe PID 3012 wrote to memory of 1888 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe rekaw.exe PID 3012 wrote to memory of 1888 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe rekaw.exe PID 3012 wrote to memory of 3024 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 3024 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 3024 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 3012 wrote to memory of 3024 3012 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 1888 wrote to memory of 2964 1888 rekaw.exe koivwe.exe PID 1888 wrote to memory of 2964 1888 rekaw.exe koivwe.exe PID 1888 wrote to memory of 2964 1888 rekaw.exe koivwe.exe PID 1888 wrote to memory of 2964 1888 rekaw.exe koivwe.exe PID 2964 wrote to memory of 1652 2964 koivwe.exe kuuqw.exe PID 2964 wrote to memory of 1652 2964 koivwe.exe kuuqw.exe PID 2964 wrote to memory of 1652 2964 koivwe.exe kuuqw.exe PID 2964 wrote to memory of 1652 2964 koivwe.exe kuuqw.exe PID 2964 wrote to memory of 1672 2964 koivwe.exe cmd.exe PID 2964 wrote to memory of 1672 2964 koivwe.exe cmd.exe PID 2964 wrote to memory of 1672 2964 koivwe.exe cmd.exe PID 2964 wrote to memory of 1672 2964 koivwe.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4150869444302f78451b1d4834933554_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4150869444302f78451b1d4834933554_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\rekaw.exe"C:\Users\Admin\AppData\Local\Temp\rekaw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\koivwe.exe"C:\Users\Admin\AppData\Local\Temp\koivwe.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\kuuqw.exe"C:\Users\Admin\AppData\Local\Temp\kuuqw.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5a4e89c7ca30b163217150fd27585d12f
SHA10efd30bf1bd473ca2ac1ece031306bf54728d0b1
SHA256bb5bf02f351c90535f61a12a9718cd59dfae8c11485d9410a328fd3ab729b3b3
SHA5129a41cdb2c7c68216f9a69bdeae187724bb9928e1485e2b2d07426f1d659860f6dc27e1d81483d89c739d4a445be913cb108e85d0ef046318c18a5bd2e7ebfe32
-
Filesize
224B
MD50cfe2b017f6a530f04ae3f74fb3c429a
SHA1374a41d042447ba25a06a3decf53bd0454963ffb
SHA2564dba2bae815fc65db6610d7d9fb796a211bdac73c8fe8db31075dff9ac1d1c2f
SHA512e1140030234d29556c910a006b7b0f2d0dfe9c33330bff540072385b24a156f2c576faa75959180ac8362ab151366a9b82d7dcda1edfccccd788b01151c0e7ef
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD51a44e0d4f17e29cb7d213a0a43d15f3e
SHA1bba4b2a633af41ec7ea0643f2aa09dbb73631151
SHA256a5728470a4ed54c07a6ef4bee520648e476bd6fbec1b8d8543faa656500f6a38
SHA5121db4d6c8f717c317345a69b60f4d83ef9e5174395a5f111b330202359ec72a374b2933a586b2c7f6eaac4193c384e4217eefa06a1822a3dc22995dcf5d61e907
-
Filesize
459KB
MD50f731b0e7e77acca231c09be1e0be30e
SHA14e30841a53edfec28ed84c49bed920274dcccb97
SHA2565d391c68421a63cd893fe81a344972e48e7c8871d8c752906aa0c63851cc2307
SHA512ad268840afed98f26fe50c9a0fee666c7a5c5199d884964596d01b3776264da8b2523c29e41b1c1e3e8d271ec125510543405fd0f8f86e65eb8b6c5c9c09d659
-
Filesize
1.1MB
MD54e7ae3a01d58adf1197e106fe3660c55
SHA179e35eeacee004e71db0a275fcc87907e48853c3
SHA256fe822bb513b5af18fc69582a300e9a2765af5a7ec9b585b74f5d88d87005caa2
SHA5125facfc8d5438156f7ad5259edcdc16c4150b2e79d232787e75dc56f5aef8d28928a91914dc91788941caeb1b941c92f35f06a462d1bfa370972a2483e8bc2d4a