1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Size

13KB
MD5

e7853ebec5f438d537e1f0d59daef2b7
SHA1

a3630f7c39503e1b3c7bf6393af6dffccd7b9782
SHA256

1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8
SHA512

79811c6e6fc74e71f26d67eb221ee39ee86f7c563fcfc9d56f2d5847b9b8df02eb60316cd484d9368b1c8c4374c18f9c2dd8dd037ab6a923595a481d0d8f3534
SSDEEP

384:s5wfWyQB/pbXkaegjYWBX12fnaNJawcudoD7UM:AwfqXkaLYWBX12fanbcuyD7U

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2868-10-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	2072	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2072	2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2072	2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2072	2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2072	2868	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2964	2072	b2e.exe	29
PID 2072 wrote to memory of 2964	2072	b2e.exe	29
PID 2072 wrote to memory of 2964	2072	b2e.exe	29
PID 2072 wrote to memory of 2964	2072	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe

Filesize
17KB

MD5
746c4b919f32f705067adccc46748ed7

SHA1
26e228a986bdfe7219d8354b6f9cbc4c3637dcfe

SHA256
5fcf4a4980b50f43a06ee1be36a01f2d922664beebd20bd5a2ef1a6a6b31b4c4

SHA512
ec3d48b5e04d420a6e6bcab37d243dbd1c935d97f6cb6c383deeb19e27d820f1884ea3876937e6bffa03a298f71527f601288cdbe2fd5c2b0d29bd4d139fa0fc

Download Submit
memory/2072-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2868-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2868-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2868-5-0x0000000002400000-0x0000000002405000-memory.dmp

Filesize
20KB

Download