26e3935f9e6a021f70782e8d6a1c4d0d23c218bcfffdb79b3526b746d5a290f6

Analysis

max time kernel
148s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe
Size

380KB
MD5

f1063749089485c04afdf0e612ecefd6
SHA1

1aff565fa53fbf071e2d82bd13364dac94d074ab
SHA256

26e3935f9e6a021f70782e8d6a1c4d0d23c218bcfffdb79b3526b746d5a290f6
SHA512

ff06a98ac64430f823063dedc06a40d8e55d152594c92cd2c89f7850dd227dfb05f9d36f2170b1f5274141b4a9fc04a4046b03d637e7bf692cab719f029c1b0a
SSDEEP

6144:jHmzMe3ZKpplTrUFaEnuKlJD2qhiVrBDPi87DxmLX2xq5otuBNukc1ppB3PQ:bGZpgKaEnuylEK877qGcHG4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	acieixvka.exe

Loads dropped DLL 1 IoCs

pid	Process
5032	acieixvka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
348	4416	WerFault.exe	82
2712	4416	WerFault.exe	82
3900	4416	WerFault.exe	82
4652	4416	WerFault.exe	82
1516	4416	WerFault.exe	82
1576	4416	WerFault.exe	82
3120	4416	WerFault.exe	82
2664	4416	WerFault.exe	82
2636	4416	WerFault.exe	82
5048	5032	WerFault.exe	112
928	5032	WerFault.exe	112
1932	5032	WerFault.exe	112
1828	5032	WerFault.exe	112
2812	5032	WerFault.exe	112
4164	5032	WerFault.exe	112

Kills process with taskkill 1 IoCs

evasion

pid	Process
1396	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4924	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 552	4416	f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe	104
PID 4416 wrote to memory of 552	4416	f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe	104
PID 4416 wrote to memory of 552	4416	f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe	104
PID 552 wrote to memory of 1396	552	cmd.exe	108
PID 552 wrote to memory of 1396	552	cmd.exe	108
PID 552 wrote to memory of 1396	552	cmd.exe	108
PID 552 wrote to memory of 4924	552	cmd.exe	110
PID 552 wrote to memory of 4924	552	cmd.exe	110
PID 552 wrote to memory of 4924	552	cmd.exe	110
PID 552 wrote to memory of 5032	552	cmd.exe	112
PID 552 wrote to memory of 5032	552	cmd.exe	112
PID 552 wrote to memory of 5032	552	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 588
  2⤵
  - Program crash
  PID:348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 664
  2⤵
  - Program crash
  PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 776
  2⤵
  - Program crash
  PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 872
  2⤵
  - Program crash
  PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1032
  2⤵
  - Program crash
  PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 888
  2⤵
  - Program crash
  PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 888
  2⤵
  - Program crash
  PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1052
  2⤵
  - Program crash
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4416 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\ACIEIX~1.EXE -f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 4416
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:4924
- - C:\Users\Admin\AppData\Local\acieixvka.exe
    C:\Users\Admin\AppData\Local\ACIEIX~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 552
      4⤵
      Program crash
      PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 800
      4⤵
      Program crash
      PID:928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 840
      4⤵
      Program crash
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 856
      4⤵
      Program crash
      PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 808
      4⤵
      Program crash
      PID:2812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 848
      4⤵
      Program crash
      PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 532
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4416 -ip 4416
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4416 -ip 4416
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4416 -ip 4416
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4416 -ip 4416
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4416 -ip 4416
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4416 -ip 4416
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4416 -ip 4416
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4416 -ip 4416
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5032 -ip 5032
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5032 -ip 5032
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5032 -ip 5032
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5032 -ip 5032
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5032 -ip 5032
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5032 -ip 5032
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\acieixvka.exe

Filesize
380KB

MD5
f1063749089485c04afdf0e612ecefd6

SHA1
1aff565fa53fbf071e2d82bd13364dac94d074ab

SHA256
26e3935f9e6a021f70782e8d6a1c4d0d23c218bcfffdb79b3526b746d5a290f6

SHA512
ff06a98ac64430f823063dedc06a40d8e55d152594c92cd2c89f7850dd227dfb05f9d36f2170b1f5274141b4a9fc04a4046b03d637e7bf692cab719f029c1b0a

Download Submit
memory/4416-9-0x0000000000DA0000-0x0000000000DE2000-memory.dmp

Filesize
264KB

Download
memory/4416-1-0x0000000000DA0000-0x0000000000DE2000-memory.dmp

Filesize
264KB

Download
memory/4416-3-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/4416-4-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/4416-5-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/4416-6-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/4416-8-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/4416-0-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/4416-2-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/5032-13-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/5032-14-0x0000000000AF0000-0x0000000000B32000-memory.dmp

Filesize
264KB

Download
memory/5032-15-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/5032-16-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/5032-17-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download
memory/5032-19-0x0000000000D60000-0x0000000000DFD000-memory.dmp

Filesize
628KB

Download
memory/5032-20-0x0000000001000000-0x000000000109D000-memory.dmp

Filesize
628KB

Download
memory/5032-24-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download