ee87c0206a3a229a610280d097f30597f79e93d1c74ede9a1b2b86e7afe0a164

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
Size

317KB
MD5

fe914e545e6619379b586976da83ff8c
SHA1

593071e1859d8d3ead7c12618996eddfe4aa763b
SHA256

ee87c0206a3a229a610280d097f30597f79e93d1c74ede9a1b2b86e7afe0a164
SHA512

a6af73bc62daa09921de203a17277e8ffdd9155f3ff575feb09c23fe78e4056540672143979122297d8512a80604b9719da252b58c8a38addf343e1988bf3dc7
SSDEEP

6144:93+W3HxuuQagkTj9hBhf+q/R+eDDyVMKOKhWKO9POgVxiarcEqh9D1m:ceHx19g2jfBNWrVtOIWHPR+Eco

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4264	oOcLlDh07003.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	oOcLlDh07003.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3016-2-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-4-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-5-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-6-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-19-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-20-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-23-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-24-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3016-31-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-32-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4264-35-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oOcLlDh07003 = "C:\\ProgramData\\oOcLlDh07003\\oOcLlDh07003.exe"	oOcLlDh07003.exe

Program crash 27 IoCs

pid	pid_target	Process	procid_target
116	3016	WerFault.exe	91
2940	4264	WerFault.exe	92
4424	3016	WerFault.exe	91
3112	4264	WerFault.exe	92
4792	3016	WerFault.exe	91
4828	4264	WerFault.exe	92
1384	3016	WerFault.exe	91
3784	4264	WerFault.exe	92
2656	3016	WerFault.exe	91
2976	4264	WerFault.exe	92
1148	3016	WerFault.exe	91
4992	4264	WerFault.exe	92
3484	3016	WerFault.exe	91
1728	4264	WerFault.exe	92
4868	3016	WerFault.exe	91
3980	3016	WerFault.exe	91
4792	4264	WerFault.exe	92
2804	4264	WerFault.exe	92
404	3016	WerFault.exe	91
2656	4264	WerFault.exe	92
1708	4264	WerFault.exe	92
1860	4264	WerFault.exe	92
4220	4264	WerFault.exe	92
1144	4264	WerFault.exe	92
2436	4264	WerFault.exe	92
232	4264	WerFault.exe	92
2800	4264	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
Token: SeDebugPrivilege	4264	oOcLlDh07003.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4264	oOcLlDh07003.exe
4264	oOcLlDh07003.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92
PID 3016 wrote to memory of 4264	3016	fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe
  "C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe" "C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 764
    3⤵
    - Program crash
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 772
    3⤵
    - Program crash
    PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 796
    3⤵
    - Program crash
    PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 804
    3⤵
    - Program crash
    PID:3784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 928
    3⤵
    - Program crash
    PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1000
    3⤵
    - Program crash
    PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1080
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1224
    3⤵
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1408
    3⤵
    - Program crash
    PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1620
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1628
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1656
    3⤵
    - Program crash
    PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1632
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1692
    3⤵
    - Program crash
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1804
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1824
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 788
    3⤵
    - Program crash
    PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 620
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 788
  2⤵
  - Program crash
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 796
  2⤵
  - Program crash
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 840
  2⤵
  - Program crash
  PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 848
  2⤵
  - Program crash
  PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1008
  2⤵
  - Program crash
  PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1048
  2⤵
  - Program crash
  PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1200
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 640
  2⤵
  - Program crash
  PID:3980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 140
  2⤵
  - Program crash
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3016 -ip 3016
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4264 -ip 4264
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4264 -ip 4264
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3016 -ip 3016
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4264 -ip 4264
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3016 -ip 3016
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4264 -ip 4264
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3016 -ip 3016
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4264 -ip 4264
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3016 -ip 3016
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4264 -ip 4264
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4264 -ip 4264
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3016 -ip 3016
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3016 -ip 3016
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4264 -ip 4264
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4264 -ip 4264
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3016 -ip 3016
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4264 -ip 4264
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4264 -ip 4264
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4264 -ip 4264
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4264 -ip 4264
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4264 -ip 4264
1⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4264 -ip 4264
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oOcLlDh07003\oOcLlDh07003.exe

Filesize
317KB

MD5
ee7a40cd1e4e0aa949c6d633e08b9f7c

SHA1
f207188eaaf42442f62b5dd451fb461288918935

SHA256
9950dcab6b2cc7083296a467a171416917e6dbcc9b85ef892cd07c1866e6990e

SHA512
20cf86e3b0dfb06d85f1cd9e661bdc0ef0967e45398498a52515abad2101eddd4794df306173ae774f33e75b24c23d28afa88c71e000e99bf5e6020f93e6fd5a

Download Submit
memory/3016-4-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-5-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3016-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3016-2-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-24-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-15-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-32-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4264-35-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads