Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
-
Size
644KB
-
MD5
1ab71541ca9a32e1bf68f0cfea8e1f7b
-
SHA1
1b5615f4b20349b2939725fba10430540dc3c13d
-
SHA256
d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476
-
SHA512
3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651
-
SSDEEP
12288:YvFZvSduvBf6l2uoQceGlfziC8lQsIaz/Wc9Gojl3vtMK6:y3v1Bf6Yu36lfuCDaqc9Gojl3Fl
Malware Config
Extracted
amadey
2.11
109c93
http://csgoprofind.net
-
install_dir
de9b658861
-
install_file
rween.exe
-
strings_key
720b92c5e32946a09a188fd6d18f00e2
-
url_paths
/gWmR5f2W/index.php
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rween.exe1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation rween.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
rween.exepid process 4876 rween.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.exepid process 2012 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe 2012 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe 4876 rween.exe 4876 rween.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.execmd.exedescription pid process target process PID 2012 wrote to memory of 4876 2012 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 2012 wrote to memory of 4876 2012 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 2012 wrote to memory of 4876 2012 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe rween.exe PID 4876 wrote to memory of 2320 4876 rween.exe cmd.exe PID 4876 wrote to memory of 2320 4876 rween.exe cmd.exe PID 4876 wrote to memory of 2320 4876 rween.exe cmd.exe PID 2320 wrote to memory of 4648 2320 cmd.exe reg.exe PID 2320 wrote to memory of 4648 2320 cmd.exe reg.exe PID 2320 wrote to memory of 4648 2320 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\de9b658861\rween.exe"C:\ProgramData\de9b658861\rween.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\152142044500731267028356MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\de9b658861\rween.exeFilesize
644KB
MD51ab71541ca9a32e1bf68f0cfea8e1f7b
SHA11b5615f4b20349b2939725fba10430540dc3c13d
SHA256d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476
SHA5123e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651
-
memory/2012-7-0x00000000029F0000-0x0000000002A1D000-memory.dmpFilesize
180KB
-
memory/2012-0-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/2012-17-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2012-16-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2012-8-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4876-23-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-25-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-18-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-26-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-27-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-28-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-29-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4876-34-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB