Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
-
Size
272KB
-
MD5
b96781c5601f3e5c44e955e9f1d261c8
-
SHA1
387ec8f67707b40f7504c0098b58a978c7889932
-
SHA256
64a753aeb9f4b178c8b1a8d8385d7eab119d21d7fee0f167ba1b044d0f96caa3
-
SHA512
d128e30b4e4020bdf71bf1fe1db77cf8f99c2415a26280d5516fe70f7e379ab24d464ab10908a1b2df23cd32717c8d2f37eb5f7fbf4fc3ce02fc97421cf87459
-
SSDEEP
6144:q+FNvDu5NMsd+mF9gNMrhsgRx2aHNs8DtD1SpUxw:lFxDAdMmF94KZJ+Z
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2196 fe9b758c1c41f0ee.exe -
Executes dropped EXE 2 IoCs
pid Process 2196 fe9b758c1c41f0ee.exe 3060 fe9b758c1c41f0ee.exe -
resource yara_rule behavioral2/memory/4376-1-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-6-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/4376-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-9-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-15-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-16-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-17-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-18-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-19-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-20-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-21-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-22-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-23-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-24-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-25-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-26-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-27-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-28-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-29-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-30-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-31-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-32-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-33-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-36-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-37-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-38-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-39-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-40-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-41-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-42-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/2196-43-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/3060-44-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe9b758c1c41f0ee.exe\"" fe9b758c1c41f0ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe9b758c1c41f0ee.exe\"" fe9b758c1c41f0ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe9b758c1c41f0ee.exe\"" fe9b758c1c41f0ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe9b758c1c41f0ee.exe\"" fe9b758c1c41f0ee.exe -
Program crash 19 IoCs
pid pid_target Process procid_target 3200 4376 WerFault.exe 85 1864 4376 WerFault.exe 85 1612 2196 WerFault.exe 87 2024 3060 WerFault.exe 94 4736 2196 WerFault.exe 87 2540 2196 WerFault.exe 87 2408 2196 WerFault.exe 87 828 2196 WerFault.exe 87 3472 2196 WerFault.exe 87 1796 2196 WerFault.exe 87 2928 2196 WerFault.exe 87 2832 2196 WerFault.exe 87 4632 2196 WerFault.exe 87 5000 2196 WerFault.exe 87 1388 2196 WerFault.exe 87 4724 2196 WerFault.exe 87 3408 2196 WerFault.exe 87 4948 2196 WerFault.exe 87 2004 2196 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4376 wrote to memory of 2196 4376 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 87 PID 4376 wrote to memory of 2196 4376 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 87 PID 4376 wrote to memory of 2196 4376 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 87 PID 2196 wrote to memory of 3060 2196 fe9b758c1c41f0ee.exe 94 PID 2196 wrote to memory of 3060 2196 fe9b758c1c41f0ee.exe 94 PID 2196 wrote to memory of 3060 2196 fe9b758c1c41f0ee.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\fe9b758c1c41f0ee.exe:*C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe *2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\fe9b758c1c41f0ee.exea ZZZZZZXYQTG3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 6164⤵
- Program crash
PID:2024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 6443⤵
- Program crash
PID:1612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 8603⤵
- Program crash
PID:4736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9003⤵
- Program crash
PID:2540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9003⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 8963⤵
- Program crash
PID:828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9923⤵
- Program crash
PID:3472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 10923⤵
- Program crash
PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 10923⤵
- Program crash
PID:2928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 15363⤵
- Program crash
PID:2832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 15323⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 16123⤵
- Program crash
PID:5000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 16003⤵
- Program crash
PID:1388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 18083⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 8043⤵
- Program crash
PID:3408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 8643⤵
- Program crash
PID:4948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 18203⤵
- Program crash
PID:2004
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 3002⤵
- Program crash
PID:3200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 3482⤵
- Program crash
PID:1864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4376 -ip 43761⤵PID:1112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4376 -ip 43761⤵PID:112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2196 -ip 21961⤵PID:3960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3060 -ip 30601⤵PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 21961⤵PID:1312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2196 -ip 21961⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 21961⤵PID:2544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2196 -ip 21961⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2196 -ip 21961⤵PID:4564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 21961⤵PID:928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 21961⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 21961⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 21961⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 21961⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2196 -ip 21961⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2196 -ip 21961⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2196 -ip 21961⤵PID:3880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 21961⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2196 -ip 21961⤵PID:4332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD539b10c324d86ce8046883254bad2c7aa
SHA118c742d608282ba46acfe3ff78ae380eaabe9e24
SHA25630c2196730d7399219b0419d9944f45f461d83ef8ea4655e73a3f99bce07611a
SHA512b79235674283250bac15eb3c836a61fcae1f826a14158a3b8ee42a4ae3c2f0813ed2699998bbc9123848f42ae3cfefb4acb9e31f0f4fe1ebc6fac3e43f14c162