Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe
-
Size
422KB
-
MD5
22dccb5bba83abd89502fafda108b0ce
-
SHA1
b1398ba3766f4514cc039de8cb5142fe67572c27
-
SHA256
fc79c3c3b0d705e0648d493c8aac851f40fcf8dc2cacdc163f9cc237dc821255
-
SHA512
92bd11b940f02892254227f9c7ed3b241449af6d19e64646121f418a105f7310cf39fada199a92daf06a0f7a184c65d768e13f1fd6f851db85b9acaefd8537fb
-
SSDEEP
6144:xLIiVgoGRuKEpcHCTavdmnulKg+z89Hu2cP0gzUE4rzxD1T3BxiXna:jurfEpciTaVHX+z0HbTgzUdrzXT3Bxs
Malware Config
Extracted
cryptbot
befhns72.top
moralv07.top
-
payload_url
http://minets10.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2916 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1704 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.execmd.exedescription pid process target process PID 2064 wrote to memory of 2916 2064 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2916 2064 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2916 2064 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2916 2064 22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe cmd.exe PID 2916 wrote to memory of 1704 2916 cmd.exe timeout.exe PID 2916 wrote to memory of 1704 2916 cmd.exe timeout.exe PID 2916 wrote to memory of 1704 2916 cmd.exe timeout.exe PID 2916 wrote to memory of 1704 2916 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\fnThmicITey & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\22dccb5bba83abd89502fafda108b0ce_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2064-1-0x0000000001790000-0x0000000001890000-memory.dmpFilesize
1024KB
-
memory/2064-2-0x00000000002E0000-0x0000000000325000-memory.dmpFilesize
276KB
-
memory/2064-3-0x0000000000400000-0x00000000016DD000-memory.dmpFilesize
18.9MB
-
memory/2064-4-0x0000000000400000-0x00000000016DD000-memory.dmpFilesize
18.9MB
-
memory/2064-5-0x00000000002E0000-0x0000000000325000-memory.dmpFilesize
276KB