bb56b181f4085b5231b176299044e42a603d01f1a234bd6bfb0c37fd094d0261

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe
Size

271KB
MD5

24b94eb7001b5868f66aff6c2cfcf3f9
SHA1

154e129fc7a13690a809b208f4887fb64e8dcfbe
SHA256

bb56b181f4085b5231b176299044e42a603d01f1a234bd6bfb0c37fd094d0261
SHA512

43d9fff3973a6d1832cd8c34b645dede4bccd5ec6bff6cb2e1b98122332852cc8134e939f8ee55a59577f454a504983c72758e4fe1e20a96966252ccd83869a7
SSDEEP

6144:q+FNvDu5NMsd+mF9gNMrhsgRx2aHNs8DtD1SpUxi:lFxDAdMmF94KZJ+v

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
740	76fcd5200b5bfd41.exe

Executes dropped EXE 2 IoCs

pid	Process
740	76fcd5200b5bfd41.exe
3740	76fcd5200b5bfd41.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-1-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-6-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3516-7-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-9-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-10-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-14-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-17-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-18-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-19-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-20-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-21-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-22-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-23-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-24-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-25-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-26-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-27-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-28-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-29-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-30-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-31-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-32-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-33-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-34-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-35-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-36-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-39-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-40-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-41-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-42-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-43-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/740-44-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3740-45-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\76fcd5200b5bfd41.exe\""	76fcd5200b5bfd41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\76fcd5200b5bfd41.exe\""	76fcd5200b5bfd41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\76fcd5200b5bfd41.exe\""	76fcd5200b5bfd41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\76fcd5200b5bfd41.exe\""	76fcd5200b5bfd41.exe

Program crash 20 IoCs

pid	pid_target	Process	procid_target
1760	3516	WerFault.exe	92
3328	3516	WerFault.exe	92
3664	740	WerFault.exe	95
2560	3740	WerFault.exe	101
1164	740	WerFault.exe	95
3952	740	WerFault.exe	95
3984	740	WerFault.exe	95
1484	740	WerFault.exe	95
2372	740	WerFault.exe	95
2008	740	WerFault.exe	95
4564	740	WerFault.exe	95
1132	740	WerFault.exe	95
3864	740	WerFault.exe	95
1448	740	WerFault.exe	95
2136	740	WerFault.exe	95
4176	740	WerFault.exe	95
2108	3740	WerFault.exe	101
3472	740	WerFault.exe	95
1220	740	WerFault.exe	95
664	740	WerFault.exe	95

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 740	3516	24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe	95
PID 3516 wrote to memory of 740	3516	24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe	95
PID 3516 wrote to memory of 740	3516	24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe	95
PID 740 wrote to memory of 3740	740	76fcd5200b5bfd41.exe	101
PID 740 wrote to memory of 3740	740	76fcd5200b5bfd41.exe	101
PID 740 wrote to memory of 3740	740	76fcd5200b5bfd41.exe	101

C:\Users\Admin\AppData\Local\Temp\24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\76fcd5200b5bfd41.exe
  :*C:\Users\Admin\AppData\Local\Temp\24b94eb7001b5868f66aff6c2cfcf3f9_JaffaCakes118.exe *
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\76fcd5200b5bfd41.exe
    a ZZZZZZZSVZG
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 616
      4⤵
      Program crash
      PID:2560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 636
      4⤵
      Program crash
      PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 708
    3⤵
    - Program crash
    PID:3664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 860
    3⤵
    - Program crash
    PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 884
    3⤵
    - Program crash
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 884
    3⤵
    - Program crash
    PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 860
    3⤵
    - Program crash
    PID:1484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 940
    3⤵
    - Program crash
    PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1088
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1128
    3⤵
    - Program crash
    PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1536
    3⤵
    - Program crash
    PID:1132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1592
    3⤵
    - Program crash
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1636
    3⤵
    - Program crash
    PID:1448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1780
    3⤵
    - Program crash
    PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1684
    3⤵
    - Program crash
    PID:4176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1684
    3⤵
    - Program crash
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 864
    3⤵
    - Program crash
    PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1060
    3⤵
    - Program crash
    PID:664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 140
  2⤵
  - Program crash
  PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 152
  2⤵
  - Program crash
  PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 3516
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3516 -ip 3516
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 740 -ip 740
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3740 -ip 3740
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 740 -ip 740
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 740 -ip 740
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 740 -ip 740
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 740 -ip 740
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 740 -ip 740
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 740 -ip 740
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 740 -ip 740
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 740 -ip 740
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 740 -ip 740
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 740 -ip 740
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 740 -ip 740
1⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 740 -ip 740
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3740 -ip 3740
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 740 -ip 740
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 740 -ip 740
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 740 -ip 740
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76fcd5200b5bfd41.exe

Filesize
271KB

MD5
ab767fec9f12a522c67d39eeff0e7ca1

SHA1
70c57bfb80b62176aa507965abbc5a27ff41771e

SHA256
748da783cf2f029f383aac74f6f3eb6a05ff9e220309b2bb80031e9906349619

SHA512
58d1113c77e0c628d2b2ff5b1b2763a58c3851ba1d599e5a0961bab182af68b1208ba4f7fa7931d318946a38d62b635acfc362e585569ed6341b84b8089a77c4

Download Submit
memory/740-34-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-20-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-6-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-30-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-44-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-10-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-42-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-17-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-26-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-40-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-36-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-28-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-22-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-32-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/740-24-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3516-0-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/3516-1-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3516-7-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-25-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-29-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-27-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-31-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-23-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-33-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-21-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-35-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-19-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-39-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-18-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-41-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-14-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-43-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-9-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3740-45-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads