Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe
-
Size
383KB
-
MD5
fca659ae151e9601e395311c80affaf3
-
SHA1
4267eba1fd55cba76e72d239d32b44d7415ef0c7
-
SHA256
0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034
-
SHA512
c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa
-
SSDEEP
6144:kPOoI3LsLwU9DjVOxnbLdWdR+sVEPQs6FU6KdAHuzbgwuO0Q7ITsqpTmZwVfT:kP5I3Lo59OxbLdWQIvUwunnwQ7OT
Malware Config
Extracted
amadey
3.08
d00855
http://179.43.154.147
-
install_dir
9d5cca72fb
-
install_file
ftewk.exe
-
strings_key
9defde16baecb416084964a9b667f06e
-
url_paths
/d2VxjasuwS/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 2712 ftewk.exe 1052 ftewk.exe 1944 ftewk.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2712 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 31 PID 1740 wrote to memory of 2712 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 31 PID 1740 wrote to memory of 2712 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 31 PID 1740 wrote to memory of 2712 1740 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 31 PID 2712 wrote to memory of 2748 2712 ftewk.exe 32 PID 2712 wrote to memory of 2748 2712 ftewk.exe 32 PID 2712 wrote to memory of 2748 2712 ftewk.exe 32 PID 2712 wrote to memory of 2748 2712 ftewk.exe 32 PID 2712 wrote to memory of 2696 2712 ftewk.exe 34 PID 2712 wrote to memory of 2696 2712 ftewk.exe 34 PID 2712 wrote to memory of 2696 2712 ftewk.exe 34 PID 2712 wrote to memory of 2696 2712 ftewk.exe 34 PID 2748 wrote to memory of 2732 2748 cmd.exe 35 PID 2748 wrote to memory of 2732 2748 cmd.exe 35 PID 2748 wrote to memory of 2732 2748 cmd.exe 35 PID 2748 wrote to memory of 2732 2748 cmd.exe 35 PID 688 wrote to memory of 1052 688 taskeng.exe 39 PID 688 wrote to memory of 1052 688 taskeng.exe 39 PID 688 wrote to memory of 1052 688 taskeng.exe 39 PID 688 wrote to memory of 1052 688 taskeng.exe 39 PID 688 wrote to memory of 1944 688 taskeng.exe 41 PID 688 wrote to memory of 1944 688 taskeng.exe 41 PID 688 wrote to memory of 1944 688 taskeng.exe 41 PID 688 wrote to memory of 1944 688 taskeng.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {966EF87C-70B5-4749-B348-939BF596725C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5186d4555db96011ffa2754540b1d892a
SHA109f296a9ef033b75583948dc93c70842a51819d4
SHA256ce5ac1c62c0980be344bc741b32d8c1c9360fa68d3e936f920c9142f6b672476
SHA512a0c22b6982f71187db04d26bc18608803d243450fec576546f6ad840994ad57237a80a155bf967d61cd0e042ca14c8043d87f828ba2e2d5ee48bc8488357d05b
-
Filesize
383KB
MD5fca659ae151e9601e395311c80affaf3
SHA14267eba1fd55cba76e72d239d32b44d7415ef0c7
SHA2560ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034
SHA512c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa