e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Size

92KB
MD5

04d1391971c911a6e9e33780fc6fea34
SHA1

f43a1618ffbd8c5cbf550af0697785e2d09c4156
SHA256

e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
SHA512

65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9
SSDEEP

1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2896	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	Wawuaug.exe
1324	Wawuaug.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	WerFault.exe
2424	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	2632	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
2632	Wawuaug.exe
2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	Wawuaug.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1324	2632	Wawuaug.exe	29
PID 2632 wrote to memory of 1324	2632	Wawuaug.exe	29
PID 2632 wrote to memory of 1324	2632	Wawuaug.exe	29
PID 2632 wrote to memory of 1324	2632	Wawuaug.exe	29
PID 2808 wrote to memory of 2896	2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2896	2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2896	2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2896	2808	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2424	2632	Wawuaug.exe	30
PID 2632 wrote to memory of 2424	2632	Wawuaug.exe	30
PID 2632 wrote to memory of 2424	2632	Wawuaug.exe	30
PID 2632 wrote to memory of 2424	2632	Wawuaug.exe	30

C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\7380.vbs"
  2⤵
  - Deletes itself
  PID:2896

C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
  "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 228
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7380.vbs

Filesize
500B

MD5
782aabe9e7bf63a2be014e3d077420f6

SHA1
8f6119e94496de6ecc7c23649575e6e730f8bde3

SHA256
3ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8

SHA512
cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6

Download Submit
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe

Filesize
92KB

MD5
04d1391971c911a6e9e33780fc6fea34

SHA1
f43a1618ffbd8c5cbf550af0697785e2d09c4156

SHA256
e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

SHA512
65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9

Download Submit