Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:21

General

  • Target

    b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe

  • Size

    272KB

  • MD5

    b96781c5601f3e5c44e955e9f1d261c8

  • SHA1

    387ec8f67707b40f7504c0098b58a978c7889932

  • SHA256

    64a753aeb9f4b178c8b1a8d8385d7eab119d21d7fee0f167ba1b044d0f96caa3

  • SHA512

    d128e30b4e4020bdf71bf1fe1db77cf8f99c2415a26280d5516fe70f7e379ab24d464ab10908a1b2df23cd32717c8d2f37eb5f7fbf4fc3ce02fc97421cf87459

  • SSDEEP

    6144:q+FNvDu5NMsd+mF9gNMrhsgRx2aHNs8DtD1SpUxw:lFxDAdMmF94KZJ+Z

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Program crash 19 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Users\Admin\AppData\Local\Temp\fe9b758c1c41f0ee.exe
      :*C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe *
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\AppData\Local\Temp\fe9b758c1c41f0ee.exe
        a ZZZZZZXYQTG
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3060
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 616
          4⤵
          • Program crash
          PID:2024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 644
        3⤵
        • Program crash
        PID:1612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 860
        3⤵
        • Program crash
        PID:4736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 900
        3⤵
        • Program crash
        PID:2540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 900
        3⤵
        • Program crash
        PID:2408
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 896
        3⤵
        • Program crash
        PID:828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 992
        3⤵
        • Program crash
        PID:3472
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1092
        3⤵
        • Program crash
        PID:1796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1092
        3⤵
        • Program crash
        PID:2928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1536
        3⤵
        • Program crash
        PID:2832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1532
        3⤵
        • Program crash
        PID:4632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1612
        3⤵
        • Program crash
        PID:5000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1600
        3⤵
        • Program crash
        PID:1388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1808
        3⤵
        • Program crash
        PID:4724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 804
        3⤵
        • Program crash
        PID:3408
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 864
        3⤵
        • Program crash
        PID:4948
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1820
        3⤵
        • Program crash
        PID:2004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 300
      2⤵
      • Program crash
      PID:3200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 348
      2⤵
      • Program crash
      PID:1864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4376 -ip 4376
    1⤵
      PID:1112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4376 -ip 4376
      1⤵
        PID:112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2196 -ip 2196
        1⤵
          PID:3960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3060 -ip 3060
          1⤵
            PID:1188
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
            1⤵
              PID:1312
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2196 -ip 2196
              1⤵
                PID:4300
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 2196
                1⤵
                  PID:2544
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2196 -ip 2196
                  1⤵
                    PID:3040
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2196 -ip 2196
                    1⤵
                      PID:4564
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 2196
                      1⤵
                        PID:928
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 2196
                        1⤵
                          PID:4876
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
                          1⤵
                            PID:1008
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 2196
                            1⤵
                              PID:4368
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 2196
                              1⤵
                                PID:2136
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2196 -ip 2196
                                1⤵
                                  PID:4784
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2196 -ip 2196
                                  1⤵
                                    PID:3332
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2196 -ip 2196
                                    1⤵
                                      PID:3880
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 2196
                                      1⤵
                                        PID:4836
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2196 -ip 2196
                                        1⤵
                                          PID:4332

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\fe9b758c1c41f0ee.exe

                                                Filesize

                                                272KB

                                                MD5

                                                39b10c324d86ce8046883254bad2c7aa

                                                SHA1

                                                18c742d608282ba46acfe3ff78ae380eaabe9e24

                                                SHA256

                                                30c2196730d7399219b0419d9944f45f461d83ef8ea4655e73a3f99bce07611a

                                                SHA512

                                                b79235674283250bac15eb3c836a61fcae1f826a14158a3b8ee42a4ae3c2f0813ed2699998bbc9123848f42ae3cfefb4acb9e31f0f4fe1ebc6fac3e43f14c162

                                              • memory/2196-25-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-27-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-6-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-43-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-41-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-15-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-39-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-17-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-37-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-19-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-33-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-21-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-31-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-23-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/2196-29-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-36-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-18-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-20-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-26-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-24-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-30-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-22-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-44-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-42-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-32-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-28-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-38-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-16-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-40-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/3060-9-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/4376-1-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/4376-7-0x0000000000400000-0x0000000000541000-memory.dmp

                                                Filesize

                                                1.3MB

                                              • memory/4376-0-0x0000000000800000-0x000000000082D000-memory.dmp

                                                Filesize

                                                180KB