ee1fa3bacb25f889dd2cbebc24209faaf5ea2c9737683d63eb7e5e73375f67c5

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
Size

88KB
MD5

b2af72c33610fc3a2447070b6360072f
SHA1

782e06af80b80d3d87752666c11405bc1cfb80b5
SHA256

ee1fa3bacb25f889dd2cbebc24209faaf5ea2c9737683d63eb7e5e73375f67c5
SHA512

b2e98e4f20c59a461bb0e3b4a86efa71cd88375f4f905e4f044f79f9a10545af0f326cb8be194c467df45230a7bb7c63ce7d590ad4804079addbd484ec827648
SSDEEP

1536:0555555555555pDf3X3pDz3txh3KciU9MqqU+2bbbAV2/S2xr3IdE8mne0Avu5rL:A/Vr9akMqqDL2/xr3IdE8we0Avu5r++r

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21
Destination IP	170.106.49.21

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\S:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\B:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\G:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\P:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\N:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\R:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\V:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\W:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\E:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\H:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\I:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\K:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\X:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\U:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\A:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\J:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\M:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\O:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\L:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\T:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

pid	process
4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe

description	pid	process	target process
PID 4436 wrote to memory of 744	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 744	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 744	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2020	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2020	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2020	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2464	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2464	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2464	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 932	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 932	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 932	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2304	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2304	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2304	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1976	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1976	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1976	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 3104	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 3104	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 3104	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2496	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2496	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 2496	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 872	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 872	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 872	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 452	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 452	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 452	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1848	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1848	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1848	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1128	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1128	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 1128	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4760	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4760	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4760	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4980	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4980	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe
PID 4436 wrote to memory of 4980	4436	b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit a.dnspod.com
2⤵
PID:744

C:\Windows\SysWOW64\nslookup.exe
nslookup bleepingcomputer.bit a.dnspod.com
2⤵
PID:2020

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit a.dnspod.com
2⤵
PID:2464

C:\Windows\SysWOW64\nslookup.exe
nslookup esetnod32.bit a.dnspod.com
2⤵
PID:932

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit a.dnspod.com
2⤵
PID:2304

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit a.dnspod.com
2⤵
PID:1976

C:\Windows\SysWOW64\nslookup.exe
nslookup bleepingcomputer.bit a.dnspod.com
2⤵
PID:3104

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit a.dnspod.com
2⤵
PID:2496

C:\Windows\SysWOW64\nslookup.exe
nslookup esetnod32.bit a.dnspod.com
2⤵
PID:872

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit a.dnspod.com
2⤵
PID:452

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit a.dnspod.com
2⤵
PID:1848

C:\Windows\SysWOW64\nslookup.exe
nslookup bleepingcomputer.bit a.dnspod.com
2⤵
PID:1128

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit a.dnspod.com
2⤵
PID:4760

C:\Windows\SysWOW64\nslookup.exe
nslookup esetnod32.bit a.dnspod.com
2⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5128 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads