Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe
-
Size
346KB
-
MD5
3e375a3e6648d4698a2a1c07cbee04f6
-
SHA1
9bca8cddf2002efe155627571feb7a75874b948c
-
SHA256
0226c24778351c0e523f42b629f085bc3c1016100970b2a76d7c7fe122f69e33
-
SHA512
19ea7cc9c1e7492f86b934153e3e50509ca47090844c04802cc4c574577adeb7b694e96f6f4e76b1e83015bd8bd913fb321616b52e02eaf43a2093f9e3a6932e
-
SSDEEP
6144:MFLdy9Yvb94JUdC/l5rKUR4sJTH7zR6UW9Ac8ZJ1TLy:gXDGwC/llKU7JH7zR6U7/J1T
Malware Config
Extracted
cryptbot
veobav12.top
morysl01.top
-
payload_url
http://tyngle01.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2544 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.execmd.exedescription pid process target process PID 2228 wrote to memory of 1880 2228 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1880 2228 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1880 2228 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1880 2228 3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe cmd.exe PID 1880 wrote to memory of 2544 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 2544 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 2544 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 2544 1880 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WDNEEewr & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3e375a3e6648d4698a2a1c07cbee04f6_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-1-0x0000000000270000-0x0000000000370000-memory.dmpFilesize
1024KB
-
memory/2228-2-0x0000000000790000-0x00000000007D5000-memory.dmpFilesize
276KB
-
memory/2228-3-0x0000000000400000-0x0000000000788000-memory.dmpFilesize
3.5MB
-
memory/2228-4-0x0000000000400000-0x0000000000788000-memory.dmpFilesize
3.5MB
-
memory/2228-5-0x0000000000790000-0x00000000007D5000-memory.dmpFilesize
276KB