Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe
-
Size
144KB
-
MD5
71efd5f8d2ad4c891d4d52f2cce17561
-
SHA1
f34013094d0de6756de5c4979181e1a468836454
-
SHA256
62c10c55dac6618eff4716e89de4bae41c429102fae8cae2f0ffc86a05ad82e2
-
SHA512
0f8bab954b18c6e57a3bd0b1b685a5c4d4b194ab30c4b0e8a192cf57d9343c33e7b3f2ed9cb8a815f931b702c528d01ac58f30b8bfa3921854b285cd899bd7b0
-
SSDEEP
3072:XNfr+k4XY4h+PhzjzrOdt9lES2jbxWGqe:XNf14D+PhznrOdmSbGqe
Malware Config
Extracted
tofsee
91.218.39.211
188.130.237.44
91.204.162.103
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 ivansfyg.exe -
Loads dropped DLL 2 IoCs
pid Process 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ivansfyg.exe\"" 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2272 set thread context of 1920 2272 ivansfyg.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivansfyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 2272 ivansfyg.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2272 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2272 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2272 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2272 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 30 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 2272 wrote to memory of 1920 2272 ivansfyg.exe 31 PID 1928 wrote to memory of 2864 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2864 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2864 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2864 1928 71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\ivansfyg.exe"C:\Users\Admin\ivansfyg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4185.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD59eea7abfb4d49faa6f8a741045e6ce12
SHA182300c781f27ed47fb876837e85d06aed51573ec
SHA256e48bf0d52c54ac76446b6a2ba61381d831fe120d33df23635ee6d8ff5c1c3687
SHA51282e6a16ec9550b8f63c60ed49e18a96110a42eca1eaece84b46d1a3f8064468be5b91de3464f6470612ae17f7d0f4933d0a61a49e96b9b4276f0bb11990636e9
-
Filesize
46.9MB
MD5737f1b6c27f43893341d0015acadd199
SHA1a0ffa614d0f809050c227eaafbf79749b9a79c78
SHA256f89ace85448b4864d1071ec92a3e3a11f42cb23858a9a1a4914b492d0ee804e7
SHA512f94fa8ff4dc2210b0a39977eb72405484b340bb55339a0b168d81516bfbc3b6265ac28f5d04c8453666e9fb620ba001b10aa5fa9285a8a8934b6c313ab2c8756