Analysis
-
max time kernel
150s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 20:08
Behavioral task
behavioral1
Sample
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
-
Size
446KB
-
MD5
41d6464ffa1ec0d15308465a8187eea2
-
SHA1
9e84fd1c73f389be7f2f86bc3c76808b2d5f5ffb
-
SHA256
aadaa8a794e656859ccb247ae5dc46a66920225db288f53237d8f3b2818db76a
-
SHA512
9c09a2b7f128d179807975daa83b3c791fbb8762222fb8d29f0bac5dfc189f5f207ca0485680533f26ee3efd3668b3775486ff0a3d6cc436855222129621792f
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomn:PMpASIcWYx2U6hAJQn4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2856 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
gidij.exeopvyci.execywul.exepid process 2876 gidij.exe 3012 opvyci.exe 2700 cywul.exe -
Loads dropped DLL 3 IoCs
Processes:
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exegidij.exeopvyci.exepid process 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe 2876 gidij.exe 3012 opvyci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gidij.execmd.exeopvyci.execywul.execmd.exe41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gidij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opvyci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cywul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
cywul.exepid process 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe 2700 cywul.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exegidij.exeopvyci.exedescription pid process target process PID 2248 wrote to memory of 2876 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe gidij.exe PID 2248 wrote to memory of 2876 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe gidij.exe PID 2248 wrote to memory of 2876 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe gidij.exe PID 2248 wrote to memory of 2876 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe gidij.exe PID 2248 wrote to memory of 2856 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2856 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2856 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2856 2248 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 2876 wrote to memory of 3012 2876 gidij.exe opvyci.exe PID 2876 wrote to memory of 3012 2876 gidij.exe opvyci.exe PID 2876 wrote to memory of 3012 2876 gidij.exe opvyci.exe PID 2876 wrote to memory of 3012 2876 gidij.exe opvyci.exe PID 3012 wrote to memory of 2700 3012 opvyci.exe cywul.exe PID 3012 wrote to memory of 2700 3012 opvyci.exe cywul.exe PID 3012 wrote to memory of 2700 3012 opvyci.exe cywul.exe PID 3012 wrote to memory of 2700 3012 opvyci.exe cywul.exe PID 3012 wrote to memory of 2836 3012 opvyci.exe cmd.exe PID 3012 wrote to memory of 2836 3012 opvyci.exe cmd.exe PID 3012 wrote to memory of 2836 3012 opvyci.exe cmd.exe PID 3012 wrote to memory of 2836 3012 opvyci.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\gidij.exe"C:\Users\Admin\AppData\Local\Temp\gidij.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\opvyci.exe"C:\Users\Admin\AppData\Local\Temp\opvyci.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\cywul.exe"C:\Users\Admin\AppData\Local\Temp\cywul.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5ef2b73166547b3fe2fef0e29b39daa45
SHA1b08caa3a47057cd651723bfe72b77a936a7cce76
SHA256ab80161a544631984b272ae21f52017e036866ec599eb85d295ed54eea8798d6
SHA512cfa240597d2c6e3f11cab625b8b70b7eac6502764e19fa82995ada1b9631a9e64026369c73943fe08cebd16d096f6271bd03b55609b4e1b661aaf725b36292ca
-
Filesize
224B
MD54d64dc876ce23798882f1552c0d892d5
SHA1e46cdf174e708f6fc95412f613c720f007861128
SHA25633a6c604042fe7b2539e18c0b94c0dd5f85bc4260c69cbc274807efbc7786863
SHA512db4175826c42b7f5031b81586d1b085402cd8ddc76945e35a9256926f3efbabceaccdf16b9c6d90897ce833ab19756934a3f26507d355ce6c9124950f19234ac
-
Filesize
512B
MD5b79034f85d28b26913139a6bfef20d53
SHA172cf006e53854d0fe107fa70b0a69f8f799c2709
SHA256545185129fd6e7c6cded59fd821b9d37829f2fe0a80a73152fe2dbf6fceccbe3
SHA512be83ec704277faaefcb13b5265276601f7fa7781d4d0ad0a8adfff9d65a358eeb0736565afdfd48b87781994054aebbd4fbd396ad335d5e8b1a68e29c0dc7a9a
-
Filesize
447KB
MD537ee9df03c2c4b70fa8c849696d0e766
SHA191ad3a8db6327d88b1923076e00153f8cb80c8b2
SHA2564babf12cac8700a1215d0769b571cc6dafe89d504e80581d47535e34065853d6
SHA512e9ae62c3c7b7ac6ce3911c3103315518a5bd8147ed18bc5f2b76bc72ddae978bed0491bfe2b39496fa44abc90826127bd40c37570acb09be026bad3459f584c4
-
Filesize
223KB
MD5071f5b27eec863360612ff7cd7125af9
SHA1d1603ab9cc0bab3e8b1e1f763bf117dc5a90816e
SHA256b5d03935d6b66e532ed28953908c061af8aec503546ed368fd363a82a7a07758
SHA512215e8452b2c38eca7d7dd854b58ff77da9d1637523f56e473d428a53f7ebd34cf24e92b40ad1b9e5ccec2f78a1553a3409c2790f50f8e13b0925c3071f1ead9c
-
Filesize
447KB
MD55a403cd23db801757e12b6ee21cd4e89
SHA1be3bbbd74fa4686a6c83461af37f5342730299dd
SHA256318c2097cfe0efa17dda1105b28777628bab4b48d345cdde1d58d3ffd65c4ecb
SHA512c48046b3db36d493c1d76af87ca2a34ba85927c684f1ab9291691fe45ec384e9cecb06f82b4a8b9fbde1dcc3cadcbeea6055900d4c07f1123a67666eb9dd6b82