Analysis

  • max time kernel
    100s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 07:29

General

  • Target

    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    562d0bb7551275effd57b42bf140e40a

  • SHA1

    20cec1861dfb575b99d41573c83b0f41ddf0a86c

  • SHA256

    a3a2c609b31ddfabd30a9b0b1d2eee475c6e8d1d26261454d540f815c0547d9d

  • SHA512

    de1fbde18226f5b23ebf3064de82cc410147bf9e59b0a01f11bb56532bc076c90b4534ddfda3eae9aa69e1ebaf1a38e7dceb703db8e3c8179941282fe5aee820

  • SSDEEP

    6144:0X+OBRtoITkA53pK122OWXHCmHZW50l7F9R6ew+:cNBRtMcow2OWXH5HZW5qHRX

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\waawon.exe
      "C:\Users\Admin\waawon.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3520

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ns1.helpupdates.com
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.com
    IN A
    Response
  • flag-us
    DNS
    ns1.helpupdates.net
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.net
    IN A
    Response
    ns1.helpupdates.net
    IN A
    107.178.223.183
    ns1.helpupdates.net
    IN A
    34.70.133.246
    ns1.helpupdates.net
    IN A
    104.155.138.21
    ns1.helpupdates.net
    IN A
    35.225.36.88
  • flag-us
    DNS
    ns1.helpupdater.net
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdater.net
    IN A
    Response
    ns1.helpupdater.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    ns1.helpupdated.com
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdated.com
    IN A
    Response
  • flag-us
    DNS
    ns1.helpupdated.net
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdated.net
    IN A
    Response
    ns1.helpupdated.net
    IN A
    18.205.186.231
  • flag-us
    DNS
    ns1.helpupdated.org
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdated.org
    IN A
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls
    122.0kB
    3.5MB
    2564
    2557
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    ns1.helpupdates.com
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    128 B
    1
    1

    DNS Request

    ns1.helpupdates.com

  • 8.8.8.8:53
    ns1.helpupdates.net
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    129 B
    1
    1

    DNS Request

    ns1.helpupdates.net

    DNS Response

    107.178.223.183
    34.70.133.246
    104.155.138.21
    35.225.36.88

  • 8.8.8.8:53
    ns1.helpupdater.net
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    81 B
    1
    1

    DNS Request

    ns1.helpupdater.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    ns1.helpupdated.com
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    138 B
    1
    1

    DNS Request

    ns1.helpupdated.com

  • 8.8.8.8:53
    ns1.helpupdated.net
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    81 B
    1
    1

    DNS Request

    ns1.helpupdated.net

    DNS Response

    18.205.186.231

  • 8.8.8.8:53
    ns1.helpupdated.org
    dns
    562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
    65 B
    147 B
    1
    1

    DNS Request

    ns1.helpupdated.org

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\waawon.exe

    Filesize

    320KB

    MD5

    2d19ca3f3e03e9deb992802625c7c5ad

    SHA1

    65dd624a864858a6af24352533dcdac504de0d6b

    SHA256

    6e2bda428f6cb96159030b5933470c328b145b924d50e7cf102a405a208b6e18

    SHA512

    d29ac9d1097a07d7b510c634ea64ac80851bee2b93a762082be9fb29a6309b5fc39d78bd6443c9d3d1a4e31307348fef540f5e2d832f7c2cbee7aa8c53029daf

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.