Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe
-
Size
378KB
-
MD5
f3b72059e2de728e8e501e3ad626af45
-
SHA1
1af07d2d24adf92faf1bdf2357a098b3949fdbb3
-
SHA256
b1b56f177a463229c447d60683f7420530042faefc2f50077d7dd137ee40ba5d
-
SHA512
6fcc5c5e548b14705762f801f6bb30960ab7da481a7ea5f90d4f7af716046b327c401389ccd931e323b637333090f5ae765389da58b4be365ad447838a2b7a46
-
SSDEEP
6144:ohVc2rkTw3AQ0U+cUGh/ixN2r05y1FskG5btnMhoe9E:ohVcI0UXixN75cG5btn+d9
Malware Config
Extracted
cryptbot
cemfyj62.top
morota06.top
-
payload_url
http://bojitn09.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1608 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2596 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.execmd.exedescription pid process target process PID 1972 wrote to memory of 1608 1972 f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 1608 1972 f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 1608 1972 f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 1608 1972 f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe cmd.exe PID 1608 wrote to memory of 2596 1608 cmd.exe timeout.exe PID 1608 wrote to memory of 2596 1608 cmd.exe timeout.exe PID 1608 wrote to memory of 2596 1608 cmd.exe timeout.exe PID 1608 wrote to memory of 2596 1608 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\EBCHtMjIyQC & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-2-0x0000000000270000-0x00000000002B5000-memory.dmpFilesize
276KB
-
memory/1972-1-0x0000000001B40000-0x0000000001C40000-memory.dmpFilesize
1024KB
-
memory/1972-3-0x0000000000400000-0x00000000016D2000-memory.dmpFilesize
18.8MB
-
memory/1972-4-0x0000000000400000-0x00000000016D2000-memory.dmpFilesize
18.8MB
-
memory/1972-5-0x0000000000270000-0x00000000002B5000-memory.dmpFilesize
276KB