6cf8a6433f7cdedd2ecaa24efb6422f054a1ed6a3d1c6ce30597c5f2cf50dc53

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe
Size

1.1MB
MD5

89b60c1e93170e9d6e525d207f032076
SHA1

512d51b15fc9434b1071fbd2ce2facd3f650739b
SHA256

6cf8a6433f7cdedd2ecaa24efb6422f054a1ed6a3d1c6ce30597c5f2cf50dc53
SHA512

f5a058793b9a6124e4264b6e7ced0ce23f90c44937921855b13e536adabea1e0901acffad2e420e52b88b4fefc224645aa8cb97d06eb546fdf2d3587698c9f1a
SSDEEP

24576:skWAAuqryme6TrmevgdsIXB498R2h6vhP0OvJMVBYKx89qXCjKOJ7Rm6Mx3:sLekyeysIR7R2M9vvJMV/x89qyXRk5

Score

7^/10

agilenet discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2808	win64.exe
2268	iBot.exe
2632	ejj.exe

Loads dropped DLL 11 IoCs

pid	Process
2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe
2808	win64.exe
2808	win64.exe
2808	win64.exe
2808	win64.exe
2268	iBot.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00070000000170b5-13.dat	agile_net
behavioral1/memory/2268-31-0x0000000000AE0000-0x0000000000C86000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nservice32 = "C:\\Users\\Admin\\AppData\\Roaming\\svchosted.exe"	ejj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2268	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	iBot.exe
2268	iBot.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2484 wrote to memory of 2808	2484	JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe	30
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2268	2808	win64.exe	31
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2808 wrote to memory of 2632	2808	win64.exe	32
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33
PID 2268 wrote to memory of 2616	2268	iBot.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b60c1e93170e9d6e525d207f032076.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\win64.exe
  "C:\Users\Admin\AppData\Local\Temp\win64.exe" -pdf2h2u2a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\iBot.exe
    "C:\Users\Admin\AppData\Local\Temp\iBot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 672
      4⤵
      Loads dropped DLL
      Program crash
      PID:2616
- - C:\Users\Admin\AppData\Local\Temp\ejj.exe
    "C:\Users\Admin\AppData\Local\Temp\ejj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3620259e-386a-4fe2-9fab-cbebcf3ad4ae\AgileDotNetRT.dll

Filesize
120KB

MD5
dd7c3e58103e7c4392e618cb9c964f7d

SHA1
ad10b6dc55e69d37a45fb6b63e920585ed092afb

SHA256
ba891b4a284049221c542a85997462092be087f05720f3efc83e632396e519af

SHA512
d2943e3bb6ae829be3ee85c2ebd4ed2bee97060ee5bcf28fcbf4d4ef6709dd2da8400cd610ebbbd664d1c2b2ab6b8dd2b81fd8dadf527fb9040c04abbe6e3936

Download Submit
\Users\Admin\AppData\Local\Temp\ejj.exe

Filesize
280KB

MD5
a24c7caf95c34347b912294b27bb1950

SHA1
cf7b9a43af491ea5e737cdfb655e1acbe84b672c

SHA256
e965835cab22a6dad2ad11205f3384a1435bfab2ff5d1846dac0a96c390820a3

SHA512
9c0a56a15e9db550df7b5f626cc37c0b4c5163743176f3df75dd67843068480cb4feda53bd691ef3288752c15885cba84615e86b687352588afe7a00ef5eda08

Download Submit
\Users\Admin\AppData\Local\Temp\iBot.exe

Filesize
1.6MB

MD5
7f1971123f20015b8a3141ec276d3d01

SHA1
53990455668b450ed58ae18c054ce75aad7e62de

SHA256
2fc95ea30a325f1003b5ba9bb874b2919551d02edc831f542287902df77f0bfe

SHA512
f6f81d8af4ea7b73536f0a0efab0ea1aec91695bd987441c9513a82fb4f48fef59c41aebd30589d78bc4a5d158c996d0d56d1c38231044793c45a5c3f99aca07

Download Submit
\Users\Admin\AppData\Local\Temp\win64.exe

Filesize
1.1MB

MD5
d4eced446ea28c87249be3c427a5075d

SHA1
06fc129159087214e6d574ff6628ef4f504bedf8

SHA256
839ce078e1f9542ff80ee7141987daa8c6ed33f085cc0ecab0b964f5319d0e14

SHA512
7b96725baeddf47d6c57cd0d529b083a02bbdd0e0d476b728e4da59c15e4f2b2f59fb5ee785cd44e3f248bee13f3c882b2097fd4a8218b0e420d832606f6a675

Download Submit
memory/2268-31-0x0000000000AE0000-0x0000000000C86000-memory.dmp

Filesize
1.6MB

Download
memory/2268-39-0x0000000074950000-0x0000000074982000-memory.dmp

Filesize
200KB

Download
memory/2268-38-0x00000000749E0000-0x0000000074A60000-memory.dmp

Filesize
512KB

Download
memory/2268-45-0x0000000074950000-0x0000000074982000-memory.dmp

Filesize
200KB

Download
memory/2632-46-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download