Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe
-
Size
331KB
-
MD5
6042c40a57c02d426c2e2acd9f2bc0b2
-
SHA1
65c1ba0bab5936f8a55d7735918459aa489f9200
-
SHA256
ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319
-
SHA512
9a2457255d1b0ae2e5bb291cb7b8f9e1358306a55326ef714d32c979819d4da5ca0f937e45a9f1c19b82446f74a701193d05be3e641a092c3309963972ee9aa7
-
SSDEEP
6144:C6+jqQ2oya8Kt17AtPJnFOLNBYUMdQ04PNvRy6ImJJWwd:CbX9p8i17ANbOLAUy6VvRyGJEwd
Malware Config
Extracted
amadey
3.10
d8b51d
http://193.106.191.218
-
install_dir
98d3052e12
-
install_file
orxds.exe
-
strings_key
cb1d9c802af40fc7b0f3697a01a3365a
-
url_paths
/8bed3CS/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation orxds.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe -
Executes dropped EXE 3 IoCs
pid Process 2500 orxds.exe 3680 orxds.exe 4564 orxds.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4292 1876 WerFault.exe 82 1072 3680 WerFault.exe 108 3668 4564 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orxds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1644 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2500 1876 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 83 PID 1876 wrote to memory of 2500 1876 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 83 PID 1876 wrote to memory of 2500 1876 JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe 83 PID 2500 wrote to memory of 3668 2500 orxds.exe 87 PID 2500 wrote to memory of 3668 2500 orxds.exe 87 PID 2500 wrote to memory of 3668 2500 orxds.exe 87 PID 2500 wrote to memory of 1644 2500 orxds.exe 89 PID 2500 wrote to memory of 1644 2500 orxds.exe 89 PID 2500 wrote to memory of 1644 2500 orxds.exe 89 PID 3668 wrote to memory of 1084 3668 cmd.exe 91 PID 3668 wrote to memory of 1084 3668 cmd.exe 91 PID 3668 wrote to memory of 1084 3668 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe"C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\98d3052e12\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\98d3052e12\4⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 11082⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1876 -ip 18761⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exeC:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe1⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 4842⤵
- Program crash
PID:1072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3680 -ip 36801⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exeC:\Users\Admin\AppData\Local\Temp\98d3052e12\orxds.exe1⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 4842⤵
- Program crash
PID:3668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 45641⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5b1d044b5f76d05a5b409173e98d23658
SHA1493e3a4651230f01eab2af7a39553f5f5a8ae560
SHA2568e4e4255942a156952a2211c50bf94da17119d5f9facc0a34de1778d02c11067
SHA512c357ff164602bd410b7cd0843ec5fc8480f91f4b53b65f84e5e592c02b512ad1fd325baa0013d4cd1a7459d5b8c471d1628f71ad98bbafcde97399b19538881a
-
Filesize
331KB
MD56042c40a57c02d426c2e2acd9f2bc0b2
SHA165c1ba0bab5936f8a55d7735918459aa489f9200
SHA256ce8cce13753044619862690903a78366a5bae75d6d28dd1d72ce4195ed69d319
SHA5129a2457255d1b0ae2e5bb291cb7b8f9e1358306a55326ef714d32c979819d4da5ca0f937e45a9f1c19b82446f74a701193d05be3e641a092c3309963972ee9aa7