c73f28954ce5ca480c6a3bd6ad0bad0673bbcc568ae2e7aaac790d2b311207e5

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe
Size

798KB
MD5

fa9e12f6f5757fd7512ada333485ee79
SHA1

5ca6ca5e213a48cd3454e5eb71e67ac0f8203a63
SHA256

c73f28954ce5ca480c6a3bd6ad0bad0673bbcc568ae2e7aaac790d2b311207e5
SHA512

7346039727d27a984f1923485689a3438f26df23c9c58da3845fe9094b68132891ff2887d1f1dab02a235258c06da655d6bb052b462211749460c5e798477828
SSDEEP

24576:6yIw4hif2ucI7uCetjxWXbcwqQmX2mrwXh:627uvjxscwLmhM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	1.exe

Loads dropped DLL 6 IoCs

pid	Process
2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe
2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe
2904	1.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2904	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2904	2252	fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29
PID 2904 wrote to memory of 2664	2904	1.exe	29

C:\Users\Admin\AppData\Local\Temp\fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa9e12f6f5757fd7512ada333485ee79_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 276
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
494KB

MD5
85cef07d2d598f6ca51c7afdb30a6fb8

SHA1
269bd4355a16d1fc70503ed5592775924dcf1d81

SHA256
241f446ec41e6d6e188054703e2e75d79c7b4ef7c17beb35419940826a51d83f

SHA512
6308c86ebbe26502a40eb8944c6e244aa9f52902080e3d14ec936d6db863be29d16016afbd62a136d978d3896267b7a9880f025895e333a94c3f4277290243ba

Download Submit
memory/2252-14-0x00000000042B0000-0x00000000043A5000-memory.dmp

Filesize
980KB

Download
memory/2252-2-0x0000000001000000-0x00000000010D4000-memory.dmp

Filesize
848KB

Download
memory/2252-3-0x0000000000CD0000-0x0000000000D24000-memory.dmp

Filesize
336KB

Download
memory/2252-4-0x0000000003670000-0x0000000003673000-memory.dmp

Filesize
12KB

Download
memory/2252-1-0x0000000000300000-0x00000000003D4000-memory.dmp

Filesize
848KB

Download
memory/2252-0-0x0000000001000000-0x00000000010D4000-memory.dmp

Filesize
848KB

Download
memory/2252-17-0x00000000042B0000-0x00000000043A5000-memory.dmp

Filesize
980KB

Download
memory/2252-22-0x0000000001000000-0x00000000010D4000-memory.dmp

Filesize
848KB

Download
memory/2252-24-0x0000000000300000-0x00000000003D4000-memory.dmp

Filesize
848KB

Download
memory/2252-25-0x0000000000CD0000-0x0000000000D24000-memory.dmp

Filesize
336KB

Download
memory/2252-26-0x00000000042B0000-0x00000000043A5000-memory.dmp

Filesize
980KB

Download
memory/2904-18-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads