Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
-
Size
644KB
-
MD5
1ab71541ca9a32e1bf68f0cfea8e1f7b
-
SHA1
1b5615f4b20349b2939725fba10430540dc3c13d
-
SHA256
d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476
-
SHA512
3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651
-
SSDEEP
12288:YvFZvSduvBf6l2uoQceGlfziC8lQsIaz/Wc9Gojl3vtMK6:y3v1Bf6Yu36lfuCDaqc9Gojl3Fl
Malware Config
Extracted
amadey
2.11
109c93
http://csgoprofind.net
-
install_dir
de9b658861
-
install_file
rween.exe
-
strings_key
720b92c5e32946a09a188fd6d18f00e2
-
url_paths
/gWmR5f2W/index.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rween.exepid process 2592 rween.exe -
Loads dropped DLL 2 IoCs
Processes:
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exepid process 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.exepid process 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe 2592 rween.exe 2592 rween.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.execmd.exedescription pid process target process PID 1992 wrote to memory of 2592 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 1992 wrote to memory of 2592 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 1992 wrote to memory of 2592 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 1992 wrote to memory of 2592 1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 2592 wrote to memory of 2732 2592 rween.exe cmd.exe PID 2592 wrote to memory of 2732 2592 rween.exe cmd.exe PID 2592 wrote to memory of 2732 2592 rween.exe cmd.exe PID 2592 wrote to memory of 2732 2592 rween.exe cmd.exe PID 2732 wrote to memory of 2508 2732 cmd.exe reg.exe PID 2732 wrote to memory of 2508 2732 cmd.exe reg.exe PID 2732 wrote to memory of 2508 2732 cmd.exe reg.exe PID 2732 wrote to memory of 2508 2732 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\de9b658861\rween.exe"C:\ProgramData\de9b658861\rween.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\152148167823037733278593MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\de9b658861\rween.exeFilesize
644KB
MD51ab71541ca9a32e1bf68f0cfea8e1f7b
SHA11b5615f4b20349b2939725fba10430540dc3c13d
SHA256d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476
SHA5123e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651
-
memory/1992-6-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1992-5-0x0000000000890000-0x00000000008BD000-memory.dmpFilesize
180KB
-
memory/1992-17-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1992-18-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1992-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2592-19-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2592-25-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2592-26-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2592-27-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2592-28-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2592-32-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB