51c1b03da7ae896b7d9779c11e7c8439b350519a0bc26cb9041de9e1a4a0a476

Analysis

max time kernel
55s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 23:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe
Size

489KB
MD5

01e71d095960ce8866e78a0b1df7ac8e
SHA1

ffecd6b74a5c742a51d5ddd239b9d228e593ed6b
SHA256

51c1b03da7ae896b7d9779c11e7c8439b350519a0bc26cb9041de9e1a4a0a476
SHA512

e7ae89090a1f8c6a97a8d8235de48a0b202d58881b098d61bd6cae40d4048c1f8c67aa5e444bc385622ab77a11e4c9e85246e37d0763bd3cc966c3e771608b77
SSDEEP

12288:l/QfhJ7kNO9EoUOPKD3ypHaWIjsDEDsj:lGJ7kY9EoUpDipjED

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2448	befadegfdg_P.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4200	2448	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2448	4972	01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe	84
PID 4972 wrote to memory of 2448	4972	01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe	84
PID 4972 wrote to memory of 2448	4972	01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01e71d095960ce8866e78a0b1df7ac8e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe
  C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe 6,9,8,2,7,0,1,8,5,4,8 KUdBQjYxODAvLhgpSk1ASUlDNSscJ0g8TFVIUkpBPzkpGiY8R0xUSDw4LjEwKyweKENIPDgsGClHSk09VUJMWkU8NykwNjI4HydOQUpQPEpdTlJLNWNwbGoxJy1scnUmP0FLRSRMTUktQEhLKkFIPUceKENLQT5HQT40GC09MTwlLBwnPik1KyogLjwuOSUrFydCLT0sKRsrPC80JS8ZL09KSkBNPUtXTktJVTk+VTUaJkhQSERUO09bPU9DOTsZL09KSkBNPUtXTDpNRDVgdF0aJj1WPl9USkc5GCk8UENYQ0w8R0VGPzQYLUFPUkxaPkpJTktDSz00GCpQQDtFQ1dIVV5NTUg1GiZOSzYyHyc/Tyk3FydQTk5TQUhBV1E8REFITURBSD0/P0xKSjYgLkFOW0pPRUxHRkU8bG1xXRomSkNNVVFGREo/WUxLQ0tfQzlUTzUsFydGQkREUDgtGClAS109WU05SEU7WTxGQUtZT0xAQDVgWGRxXiAuPEpTRkZGOUJYSU81LSwwKCgpLic5MiYsLioaJkg/S0FLREBIV0NFS1I6TEs1b25tXxcnUkJNRDUsMC0qKi01LjYwGCpAR1FFRE06RF5MREk9NygqLSo3LiorLS0kKDIuLzovKSVMRQ==
  2⤵
  - Executes dropped EXE
  PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 228
    3⤵
    - Program crash
    PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2448 -ip 2448
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe

Filesize
674KB

MD5
93c3c1d0d5299bb9cefe9e9181a17070

SHA1
77a89de10714fd3862276d65ca4cb440628d81a4

SHA256
fbe70131b58335fc221283fe76ee5ebeef38c677ab97a7a775ec1a8beb32aaa7

SHA512
9e2871266f95a6f96fd92db2f37141f4a39b095922e1a6f482a73fbaaeb653464f4ff0e445ef3aec95e9b1f2437245ff68fd7bc1c5e5341c572b24a1e4ab0ce3

Download Submit