Analysis Overview
SHA256
2b55350b069149a459b5d0664210e419fa806f2bbbcd1369ac968b0613cc506c
Threat Level: Known bad
The file 55084413e3321b7684a868937c65b73d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Vidar
Vidar Stealer
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-31 13:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-31 13:00
Reported
2024-03-31 13:03
Platform
win7-20240319-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2080 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2080 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2080 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1340
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mas.to | udp |
| US | 104.21.11.154:443 | mas.to | tcp |
Files
memory/2080-1-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2080-2-0x0000000002EE0000-0x0000000002FB6000-memory.dmp
memory/2080-3-0x0000000000400000-0x0000000001735000-memory.dmp
memory/2080-19-0x0000000000400000-0x0000000001735000-memory.dmp
memory/2080-20-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2080-22-0x0000000002EE0000-0x0000000002FB6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-31 13:00
Reported
2024-03-31 13:03
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55084413e3321b7684a868937c65b73d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1004
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mas.to | udp |
| US | 172.67.166.96:443 | mas.to | tcp |
| US | 8.8.8.8:53 | 96.166.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
memory/1508-1-0x00000000017C0000-0x00000000018C0000-memory.dmp
memory/1508-2-0x0000000003480000-0x0000000003556000-memory.dmp
memory/1508-3-0x0000000000400000-0x0000000001735000-memory.dmp
memory/1508-10-0x0000000000400000-0x0000000001735000-memory.dmp
memory/1508-11-0x0000000003480000-0x0000000003556000-memory.dmp