f0d14c2179a284d670eaee54e352410e1d4e07709b3a598740fc4335962a7111

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 15:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe
Size

1.5MB
MD5

fa906dba2ad062692aec7c7744ea8848
SHA1

5e4c2fca53b74cde062b664bac22292bf2618103
SHA256

f0d14c2179a284d670eaee54e352410e1d4e07709b3a598740fc4335962a7111
SHA512

7a8135bc6fe40f2847030cef99597a758e750189d88ae20af91127bf95ddf17d4e8262d8802aade5f0f0f2c131960617e297f832190e700d641741414bc404e4
SSDEEP

24576:5XQMZPf+zrb8ASNbQbBB/4hfw+Jwz/S/6ffS51uRcRdJ45oGTPk5BkA:r3MFSNsbBB/4Bw+W7SCnSbuuRdJ46isc

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
3	discord.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	1760	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2764	1760	fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2764	1760	fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2764	1760	fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2764	1760	fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa906dba2ad062692aec7c7744ea8848_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1196
  2⤵
  - Program crash
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-1-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-0-0x0000000000260000-0x00000000003DE000-memory.dmp

Filesize
1.5MB

Download
memory/1760-2-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download
memory/1760-3-0x0000000004B80000-0x0000000004BF2000-memory.dmp

Filesize
456KB

Download
memory/1760-4-0x0000000004BF0000-0x0000000004C96000-memory.dmp

Filesize
664KB

Download
memory/1760-5-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/1760-6-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1760-7-0x00000000006F0000-0x0000000000716000-memory.dmp

Filesize
152KB

Download
memory/1760-8-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/1760-9-0x0000000001F60000-0x0000000001F6E000-memory.dmp

Filesize
56KB

Download
memory/1760-10-0x0000000001FC0000-0x0000000001FCA000-memory.dmp

Filesize
40KB

Download
memory/1760-11-0x0000000001FD0000-0x0000000002002000-memory.dmp

Filesize
200KB

Download
memory/1760-12-0x0000000004C90000-0x0000000004D40000-memory.dmp

Filesize
704KB

Download
memory/1760-13-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/1760-14-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-15-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download