Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe
-
Size
378KB
-
MD5
bfd38964ce5ed7eb0298112762d73661
-
SHA1
f44f6c31834a5e615b35a79e34c8396f31a440d3
-
SHA256
e3e6b0c7c76f1e07644749b4666f7c24bb9f061a9b9d0413623281d141cfa32f
-
SHA512
4883083f628d89e5a41a847df4c84983b1e6779ba7f0176a70c6ce84b7dc0867362ab2296e8bb108018599e6b14a540a46d69ad3400c8aa0a0db8ccf4fff65e2
-
SSDEEP
6144:YtojtTr+jbe26iPrJ0gDn2ykShB9uh1NeCx5CmkxIGgz2na6Ja:YtojxK3SQ0jS8LNeCx5PGgz2ah
Malware Config
Extracted
cryptbot
cemfyj62.top
morota06.top
-
payload_url
http://bojitn09.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2108 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 788 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.execmd.exedescription pid process target process PID 3052 wrote to memory of 2108 3052 bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe cmd.exe PID 3052 wrote to memory of 2108 3052 bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe cmd.exe PID 3052 wrote to memory of 2108 3052 bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe cmd.exe PID 3052 wrote to memory of 2108 3052 bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 788 2108 cmd.exe timeout.exe PID 2108 wrote to memory of 788 2108 cmd.exe timeout.exe PID 2108 wrote to memory of 788 2108 cmd.exe timeout.exe PID 2108 wrote to memory of 788 2108 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mxPFiXNv & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\bfd38964ce5ed7eb0298112762d73661_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3052-1-0x0000000001810000-0x0000000001910000-memory.dmpFilesize
1024KB
-
memory/3052-2-0x0000000000250000-0x0000000000295000-memory.dmpFilesize
276KB
-
memory/3052-3-0x0000000000400000-0x00000000016D2000-memory.dmpFilesize
18.8MB
-
memory/3052-4-0x0000000000400000-0x00000000016D2000-memory.dmpFilesize
18.8MB
-
memory/3052-5-0x0000000000250000-0x0000000000295000-memory.dmpFilesize
276KB