Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe
-
Size
383KB
-
MD5
fca659ae151e9601e395311c80affaf3
-
SHA1
4267eba1fd55cba76e72d239d32b44d7415ef0c7
-
SHA256
0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034
-
SHA512
c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa
-
SSDEEP
6144:kPOoI3LsLwU9DjVOxnbLdWdR+sVEPQs6FU6KdAHuzbgwuO0Q7ITsqpTmZwVfT:kP5I3Lo59OxbLdWQIvUwunnwQ7OT
Malware Config
Extracted
amadey
3.08
d00855
http://179.43.154.147
-
install_dir
9d5cca72fb
-
install_file
ftewk.exe
-
strings_key
9defde16baecb416084964a9b667f06e
-
url_paths
/d2VxjasuwS/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ftewk.exe -
Executes dropped EXE 3 IoCs
pid Process 756 ftewk.exe 4076 ftewk.exe 4516 ftewk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4592 3428 WerFault.exe 81 2364 4076 WerFault.exe 100 4388 4516 WerFault.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1016 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3428 wrote to memory of 756 3428 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 82 PID 3428 wrote to memory of 756 3428 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 82 PID 3428 wrote to memory of 756 3428 JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe 82 PID 756 wrote to memory of 3596 756 ftewk.exe 86 PID 756 wrote to memory of 3596 756 ftewk.exe 86 PID 756 wrote to memory of 3596 756 ftewk.exe 86 PID 756 wrote to memory of 1016 756 ftewk.exe 88 PID 756 wrote to memory of 1016 756 ftewk.exe 88 PID 756 wrote to memory of 1016 756 ftewk.exe 88 PID 3596 wrote to memory of 4180 3596 cmd.exe 90 PID 3596 wrote to memory of 4180 3596 cmd.exe 90 PID 3596 wrote to memory of 4180 3596 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
- System Location Discovery: System Language Discovery
PID:4180
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 8602⤵
- Program crash
PID:4592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3428 -ip 34281⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 5002⤵
- Program crash
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4076 -ip 40761⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 5002⤵
- Program crash
PID:4388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 45161⤵PID:5004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5b5cc198079a5bd56d15c62b12b594ff6
SHA1e1f1b4217b7280977adba95f8bbf405401cc8007
SHA2568d3930d07fbb180e948b4efd754c701cd5d8f4cb50e2d434c176778551e9d6a0
SHA51277e54bf74bd02449bbd7dc3da433d01b7f1aff68e110a0d6d55eefcd10b8e04b613bbbc7e4a3668ff16a0e6ad728d14051d8760b5b0f05ab6e3d182dbd403384
-
Filesize
383KB
MD5fca659ae151e9601e395311c80affaf3
SHA14267eba1fd55cba76e72d239d32b44d7415ef0c7
SHA2560ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034
SHA512c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa