63e648a0aec559a13391f2a6e80a6067f89badb4b33c4409b8e4a93d25766486

Analysis

max time kernel
143s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe
Size

704KB
MD5

14b07885d97263f9ba48203a10539c3d
SHA1

f5016d7068decb1f8087155a1a8de339909d7a33
SHA256

63e648a0aec559a13391f2a6e80a6067f89badb4b33c4409b8e4a93d25766486
SHA512

d752d0a2667376694583db68df09f5ec3bc55a2f5c77af1131137a521f64de09f752ebba781c174f2999bc77f4fd5d3129d743bf8172028e7c5e2995c1a727e5
SSDEEP

6144:shYsafa0idunTIPDan9xTy2VTk0xfdI3QPTYiEYKB6eTBh+:sWlfiunTIe9hTk0xlI30TYUHeT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1652	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BQMWdvw\svchost.exe	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\BQMWdvw\svchost.exe	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\NjUReN.dll	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe
File created	C:\Windows\ScenaNyp.dll	svchost.exe
File created	C:\Windows\JpOjduv\DfatUXH.dll	svchost.exe
File opened for modification	C:\Windows\JpOjduv\DfatUXH.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	2160	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2160	svchost.exe
2160	svchost.exe
2160	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2160	1652	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2160	1652	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2160	1652	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2160	1652	14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2776	2160	svchost.exe	31
PID 2160 wrote to memory of 2776	2160	svchost.exe	31
PID 2160 wrote to memory of 2776	2160	svchost.exe	31
PID 2160 wrote to memory of 2776	2160	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b07885d97263f9ba48203a10539c3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files (x86)\BQMWdvw\svchost.exe
  "C:\Program Files (x86)\BQMWdvw\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 648
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\BQMWdvw\svchost.exe

Filesize
709KB

MD5
bf1a3dadc75f1ed854f91a91a16da113

SHA1
f9d7498b915328c279076b0ccb603b668afd8717

SHA256
7c695f28546b54c0f61d621bfb5a838ed890f296df613258c8129c9b342b0ad8

SHA512
c7226dcadf4f8dfb8ad54ef5fc70f3790d2533591da4f85508d368862b2ee12d0f58e7bcff8a53d496637a78a8f0ff501c52375063f40afdb9aff15cf169bf4e

Download Submit
memory/1652-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1652-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1652-7-0x0000000001E00000-0x0000000001E5D000-memory.dmp

Filesize
372KB

Download
memory/2160-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download