Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
-
Size
92KB
-
MD5
04d1391971c911a6e9e33780fc6fea34
-
SHA1
f43a1618ffbd8c5cbf550af0697785e2d09c4156
-
SHA256
e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
-
SHA512
65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9
-
SSDEEP
1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2896 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2632 Wawuaug.exe 1324 Wawuaug.exe -
Loads dropped DLL 2 IoCs
pid Process 2424 WerFault.exe 2424 WerFault.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2424 2632 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 2632 Wawuaug.exe 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2632 Wawuaug.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2632 wrote to memory of 1324 2632 Wawuaug.exe 29 PID 2632 wrote to memory of 1324 2632 Wawuaug.exe 29 PID 2632 wrote to memory of 1324 2632 Wawuaug.exe 29 PID 2632 wrote to memory of 1324 2632 Wawuaug.exe 29 PID 2808 wrote to memory of 2896 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 31 PID 2808 wrote to memory of 2896 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 31 PID 2808 wrote to memory of 2896 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 31 PID 2808 wrote to memory of 2896 2808 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 31 PID 2632 wrote to memory of 2424 2632 Wawuaug.exe 30 PID 2632 wrote to memory of 2424 2632 Wawuaug.exe 30 PID 2632 wrote to memory of 2424 2632 Wawuaug.exe 30 PID 2632 wrote to memory of 2424 2632 Wawuaug.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\7380.vbs"2⤵
- Deletes itself
PID:2896
-
-
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win72⤵
- Executes dropped EXE
PID:1324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 2282⤵
- Loads dropped DLL
- Program crash
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5782aabe9e7bf63a2be014e3d077420f6
SHA18f6119e94496de6ecc7c23649575e6e730f8bde3
SHA2563ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8
SHA512cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6
-
Filesize
92KB
MD504d1391971c911a6e9e33780fc6fea34
SHA1f43a1618ffbd8c5cbf550af0697785e2d09c4156
SHA256e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
SHA51265bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9