Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 10:35
Static task
static1
Behavioral task
behavioral1
Sample
e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe
-
Size
319KB
-
MD5
e9cbe181180f938d649cece9bd9d4e3f
-
SHA1
0a476de53d88218be1165315a98a0c7898b7d997
-
SHA256
b04791153b4f7b15aff1c868064f087fbd1004f8c42aab3a577f9398623159eb
-
SHA512
b2086ac964193daf2557c4ccdb0282302c4d47305f5c7663a4bf5079e50e1fb133c67108ecfbe764cbdaf0742a4ac9250d89875a4b60ca6ef0ff29e7fda10906
-
SSDEEP
6144:tel4Y9GgGam5m4aTsrpcwTGKbMFavS2Vqy8/GfY3Zl021yDTuJy:tel4Ykg45m4hVVGK3vFXrw3ZZ1yfoy
Malware Config
Extracted
cryptbot
pacdpo22.top
moreil02.top
-
payload_url
http://zukelx03.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2320 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2984 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.execmd.exedescription pid process target process PID 1220 wrote to memory of 2320 1220 e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe cmd.exe PID 1220 wrote to memory of 2320 1220 e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe cmd.exe PID 1220 wrote to memory of 2320 1220 e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe cmd.exe PID 1220 wrote to memory of 2320 1220 e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe cmd.exe PID 2320 wrote to memory of 2984 2320 cmd.exe timeout.exe PID 2320 wrote to memory of 2984 2320 cmd.exe timeout.exe PID 2320 wrote to memory of 2984 2320 cmd.exe timeout.exe PID 2320 wrote to memory of 2984 2320 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\dISNCbQYgrB & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e9cbe181180f938d649cece9bd9d4e3f_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-1-0x0000000000940000-0x0000000000A40000-memory.dmpFilesize
1024KB
-
memory/1220-2-0x0000000000220000-0x0000000000266000-memory.dmpFilesize
280KB
-
memory/1220-3-0x0000000000400000-0x0000000000880000-memory.dmpFilesize
4.5MB
-
memory/1220-4-0x0000000000400000-0x0000000000880000-memory.dmpFilesize
4.5MB
-
memory/1220-5-0x0000000000220000-0x0000000000266000-memory.dmpFilesize
280KB