Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 09:00
Behavioral task
behavioral1
Sample
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe
-
Size
88KB
-
MD5
b2af72c33610fc3a2447070b6360072f
-
SHA1
782e06af80b80d3d87752666c11405bc1cfb80b5
-
SHA256
ee1fa3bacb25f889dd2cbebc24209faaf5ea2c9737683d63eb7e5e73375f67c5
-
SHA512
b2e98e4f20c59a461bb0e3b4a86efa71cd88375f4f905e4f044f79f9a10545af0f326cb8be194c467df45230a7bb7c63ce7d590ad4804079addbd484ec827648
-
SSDEEP
1536:0555555555555pDf3X3pDz3txh3KciU9MqqU+2bbbAV2/S2xr3IdE8mne0Avu5rL:A/Vr9akMqqDL2/xr3IdE8we0Avu5r++r
Malware Config
Signatures
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 Destination IP 170.106.49.21 -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exedescription ioc process File opened (read-only) \??\S: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\B: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\G: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\P: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\Q: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\N: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\R: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\V: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\W: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\E: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\H: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\I: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\K: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\X: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\U: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\A: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\J: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\M: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\O: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\L: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\T: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\Y: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe File opened (read-only) \??\Z: b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exepid process 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exedescription pid process target process PID 4436 wrote to memory of 744 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 744 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 744 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2020 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2020 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2020 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2464 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2464 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2464 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 932 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 932 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 932 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2304 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2304 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2304 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1976 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1976 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1976 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 3104 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 3104 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 3104 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2496 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2496 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 2496 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 872 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 872 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 872 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 452 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 452 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 452 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1848 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1848 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1848 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1128 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1128 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 1128 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4760 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4760 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4760 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4980 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4980 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe PID 4436 wrote to memory of 4980 4436 b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2af72c33610fc3a2447070b6360072f_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup bleepingcomputer.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup esetnod32.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup bleepingcomputer.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup esetnod32.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup bleepingcomputer.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit a.dnspod.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup esetnod32.bit a.dnspod.com2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5128 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵