Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe
-
Size
7.0MB
-
MD5
a9d35b3546a908c804d177020daefcb0
-
SHA1
1ba9d78409d3188653fcb003d618b97a276577fa
-
SHA256
45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827
-
SHA512
fb03bd4f20493bfd41e013102162e3ca4b3e084f2be6caf8311c0e772d55ebb8b753f5bcc2397cc0f0b9298ac51da27b96232c858c9bbfcedf00b23db04cd337
-
SSDEEP
196608:XPGZKb8EmARpfMWw93Axfy46VqPFUXd8hSXJTkWOg0rmt+kK1:+o7pa9wVaqcd8hSZkWOgOmHq
Malware Config
Extracted
amadey
2.42
6e6f28
http://185.215.113.20
-
install_dir
82b34ed5a0
-
install_file
rgbux.exe
-
strings_key
546f4527af5507340e285ce20285c73e
-
url_paths
/gb9fskvS/index.php
Signatures
-
Amadey family
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral1/files/0x000400000001d3be-843.dat family_babadeda -
Babadeda family
-
Executes dropped EXE 2 IoCs
pid Process 2792 irsetup.exe 2472 DbVisualizer.exe -
Loads dropped DLL 13 IoCs
pid Process 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2792 irsetup.exe 2472 DbVisualizer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/files/0x0008000000016c89-3.dat upx behavioral1/memory/1088-14-0x0000000003340000-0x0000000003728000-memory.dmp upx behavioral1/memory/2792-18-0x00000000009A0000-0x0000000000D88000-memory.dmp upx behavioral1/memory/2792-838-0x00000000009A0000-0x0000000000D88000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DbVisualizer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2792 irsetup.exe 2792 irsetup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 1088 wrote to memory of 2792 1088 a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31 PID 2792 wrote to memory of 2472 2792 irsetup.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3063565911-2056067323-3330884624-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506c70382b6c2e9cdc79875f27f4129c3
SHA1ef17b37ff1a6fd90e11ab17f17bfc24b63f66878
SHA2564f24af8926f2846e8ff486d5922570188f2cea5166e1ddeee739199a03563d66
SHA512daa108d53242cb4ae449fec7bd9d1ceb4b0d3c4e0e3e1bf2cdacf014e650e0c25e2cb394b810fcae013b95483a27149cbb7fbc3f325c96e7c8fb710e860ff2c4
-
Filesize
80KB
MD5b7c3d6184b4f50e536f6f9f06036dff5
SHA1cef5c0fd35fa6b22b798aced3958c5e9422a2b18
SHA256b9cee1aeb97974b9b68a82938b11c91b36ffbb71822fab9123def22503ec1425
SHA5124299fbfd8668fde6a9990bef924acdc177f4bea19fb7ad8c8196455f3fadb75ff2950cd80a60324c4446b87e59de44bb536686818429ab2301bb5bd6aa6b2aed
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]
Filesize2KB
MD544018e1779270b083ad90da3dffe9b15
SHA1e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA25671bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]
Filesize4KB
MD5b3c74bb5250effad46ce11a96c9468c2
SHA13a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA2565a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]
Filesize4KB
MD53272be2da53b6d5271111431f7d90d28
SHA17ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA2564e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA51245dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]
Filesize2KB
MD5228d4bd899577ed16ad3ac74b592a0e6
SHA1baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]
Filesize2KB
MD52719683b8dba819f2e6bd9e9b7307f1c
SHA16cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA51296ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee
-
Filesize
70KB
MD5119ea2c72d34451d550e7faa161ce11f
SHA10928756073609ccd61ebef1c124668ee7b74f6df
SHA256beb4b2eed8adf28fb7ae76456543c7dd7e8b2c5404b80e0db05ff6ae1efc64ff
SHA5121437abb325307d41af71246b7ba2904692240743b41ee58dd50456c6fc44c5eaabc261b25b038f51cc7680ca9635c69bedde2737d70c057bd050848f73eee7b6
-
Filesize
75KB
MD5c4b2f0a2b25449262c4c79a95c05a1bf
SHA10c49bd808727f5245758e60c39b42f791532ac0b
SHA256dc60fd09267af710e4facb5a64adbaad70c088db6e0793cdb1809843358a5b7a
SHA512035b5a88850e6ae61fa4c64c938729afdaef0e3be8f2536724987c09497f8cd5828ac96fecf278e76faab1d5fd47cb83f47d4be3fb31a33c39fd0bb221ec5bf7
-
Filesize
3.8MB
MD54a9b0f444ac743624a8a975d121c7111
SHA199c8d48075e63e7b5aa80d39bc6e375c5e6d080b
SHA2566486eb74a008109826731bf73e4cfed5acd4feb2b8c8c2825bb2ecdb9da982a5
SHA512a32595907bd5e03fc473d1628ff5db076cd4b62eed1de43b55a774c0e3508096218c16e7afd12e2ca9e9fc8203aadfe1d38140a0c917784d722f19668dc6d9a4
-
Filesize
431KB
MD5b78eb6c1f6364dea245a592bf1cb6a13
SHA1b509bc936a3882db2c911d6bde86da05e5bf829d
SHA256db1efa5c12505764838c95c1f377d3584dde6ff5c7470a4d0c7bb61254065608
SHA512834a06116f2e9e62c60a6024dcbb5f18f938820bb04bfb221fbdcd49b3f0fb61a471edf3056fb1256357beeaf36e8b4d0a5331c2bcfc4f1d2fd5e7f3a277269c
-
Filesize
490B
MD55d1f7da1c3d95020a0708118145364d0
SHA102f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA5126bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_no_mru.html
Filesize1KB
MD520bbd307866f19a5af3ae9ebd5104018
SHA18e03c9b18b9d27e9292ee154b773553493df1157
SHA256e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_with_mru.html
Filesize1KB
MD5e6bc0d078616dd5d5f72d46ab2216e89
SHA1f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA5126ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a
-
Filesize
720B
MD50a5b47256c14570b80ef77ecfd2129b7
SHA169210a7429c991909c70b6b6b75fe4bc606048ae
SHA2561934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA5125ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_no_mru.html
Filesize659B
MD5eced86c9d5b8952ac5fb817c3ce2b8ba
SHA13ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA2563988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_with_mru.html
Filesize798B
MD5cc4d8a787ab1950c4e3aac5751c9fcde
SHA1d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA25613683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe
-
Filesize
2KB
MD5f2ab3e5fb61293ae8656413dbb6e5dc3
SHA153b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA25606db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA5122c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c
-
C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\stylesheets\start_page_landing.css
Filesize282B
MD549617add7303a8fbd24e1ad16ba715d8
SHA131772218ccf51fe5955625346c12e00c0f2e539a
SHA256b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA5129d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
4.9MB
MD57ecebf023300b9b55d8c45a4c418e777
SHA1f82a08f188eeab23adb988cfdecd9bfb7d5d3f58
SHA2565de35a3de224a39ae9e5f68f55711e75a13869e05c11cf02cf026996ab10b53c
SHA51255bf4127741901c3636a82e8f638e6489a0f4facfe02fe062fe32c5748a4374e0d453966389761f5cb9becd74fd664f7cf189071851dc947f035121b75a62005