Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe
-
Size
331KB
-
MD5
6042c40a57c02d426c2e2acd9f2bc0b2
-
SHA1
65c1ba0bab5936f8a55d7735918459aa489f9200
-
SHA256
ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319
-
SHA512
9a2457255d1b0ae2e5bb291cb7b8f9e1358306a55326ef714d32c979819d4da5ca0f937e45a9f1c19b82446f74a701193d05be3e641a092c3309963972ee9aa7
-
SSDEEP
6144:C6+jqQ2oya8Kt17AtPJnFOLNBYUMdQ04PNvRy6ImJJWwd:CbX9p8i17ANbOLAUy6VvRyGJEwd
Malware Config
Extracted
amadey
3.10
d8b51d
http://193.106.191.218
-
install_dir
98d3052e12
-
install_file
orxds.exe
-
strings_key
cb1d9c802af40fc7b0f3697a01a3365a
-
url_paths
/8bed3CS/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 792 orxds.exe 2844 orxds.exe 2096 orxds.exe -
Loads dropped DLL 2 IoCs
pid Process 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orxds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2440 schtasks.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 388 wrote to memory of 792 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 31 PID 388 wrote to memory of 792 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 31 PID 388 wrote to memory of 792 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 31 PID 388 wrote to memory of 792 388 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 31 PID 792 wrote to memory of 1780 792 orxds.exe 32 PID 792 wrote to memory of 1780 792 orxds.exe 32 PID 792 wrote to memory of 1780 792 orxds.exe 32 PID 792 wrote to memory of 1780 792 orxds.exe 32 PID 792 wrote to memory of 2440 792 orxds.exe 34 PID 792 wrote to memory of 2440 792 orxds.exe 34 PID 792 wrote to memory of 2440 792 orxds.exe 34 PID 792 wrote to memory of 2440 792 orxds.exe 34 PID 1780 wrote to memory of 2884 1780 cmd.exe 36 PID 1780 wrote to memory of 2884 1780 cmd.exe 36 PID 1780 wrote to memory of 2884 1780 cmd.exe 36 PID 1780 wrote to memory of 2884 1780 cmd.exe 36 PID 1616 wrote to memory of 2844 1616 taskeng.exe 39 PID 1616 wrote to memory of 2844 1616 taskeng.exe 39 PID 1616 wrote to memory of 2844 1616 taskeng.exe 39 PID 1616 wrote to memory of 2844 1616 taskeng.exe 39 PID 1616 wrote to memory of 2096 1616 taskeng.exe 41 PID 1616 wrote to memory of 2096 1616 taskeng.exe 41 PID 1616 wrote to memory of 2096 1616 taskeng.exe 41 PID 1616 wrote to memory of 2096 1616 taskeng.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe"C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\98d3052e12\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\98d3052e12\4⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2440
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2D9662C3-275D-44AE-BBBC-18DFDF9C422A} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exeC:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe2⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exeC:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe2⤵
- Executes dropped EXE
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5e7be9464d86522669563f579dab80ff1
SHA193969db63e77f6b8b9799ba501aebc7eb1fb793f
SHA256005a2e69af88e6f47337dde30d498c30449e0435686f853af156e81ef62b8a94
SHA512eae43a7d3d0f387d8c7ac885df32709fe4cd69bea74cc45f7d6b1c954a355be62569512db7150f438b8e78961b670e3741d94f0f5076a1cae54a3444cfe28f67
-
Filesize
331KB
MD56042c40a57c02d426c2e2acd9f2bc0b2
SHA165c1ba0bab5936f8a55d7735918459aa489f9200
SHA256ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319
SHA5129a2457255d1b0ae2e5bb291cb7b8f9e1358306a55326ef714d32c979819d4da5ca0f937e45a9f1c19b82446f74a701193d05be3e641a092c3309963972ee9aa7