99eaba3178d57de3f1909bf85950bf9776534b5e0ed75ab8d94c89b309a3a908

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 17:20

Target

082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe
Size

660KB
MD5

082a44f654500e22b45b8af1b113fdca
SHA1

490dabf6c1b059a8c2664d1afbb389f2a8138757
SHA256

99eaba3178d57de3f1909bf85950bf9776534b5e0ed75ab8d94c89b309a3a908
SHA512

f09a4c8f3a019a1b0d69119dc7c1376c57f821be7eced30189d17821ff7475efd295c6dbb3f1a46a0c8ec0326b2dfc924298e58d9f3e64ca75ef16f232db56cb
SSDEEP

12288:xTT9G0ghtvwsw+y64v0uefNR+DNakB4OGoGPZlID72ZPq7tKIgujV:FM0Yvwsd4KlADNaknGLPXIHiS78K5

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	¸´¼þ 6.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe
2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3036	2216	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2216	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2216	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2216	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2216	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	28
PID 2216 wrote to memory of 3036	2216	¸´¼þ 6.exe	29
PID 2216 wrote to memory of 3036	2216	¸´¼þ 6.exe	29
PID 2216 wrote to memory of 3036	2216	¸´¼þ 6.exe	29
PID 2216 wrote to memory of 3036	2216	¸´¼þ 6.exe	29
PID 2368 wrote to memory of 2636	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2636	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2636	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2636	2368	082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\082a44f654500e22b45b8af1b113fdca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\¸´¼þ 6.exe
  "C:\Users\Admin\AppData\Local\Temp\¸´¼þ 6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 204
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_xiaran.bat" "
  2⤵
  - Deletes itself
  PID:2636

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\_xiaran.bat

Filesize
212B

MD5
f07547be77c4a16ba554281b7c388930

SHA1
8121994515f06754aefa5264c882a35b4a57952f

SHA256
26bbb9e3489a257415a11ab3f7e4c451fea58d8e94689d48cd1569bd44848bd9

SHA512
9e228047674921d415999a83e469fd9fadddf1977cc18806379ed133e0061327eed1496a0d6d75c0000d232d5c9912cce8fb13038017ba35c6b020a3a7297a82

Download Submit
\Users\Admin\AppData\Local\Temp\¸´¼þ 6.exe

Filesize
645KB

MD5
e79b3f1bd29e1f0afe02e128f4a5643a

SHA1
fe47caea8b2e20657a754d1357be7eb9126ca319

SHA256
3f1095a5af77a156d96b1ceb25688e9ec065ff2608579a36a3adba52af3d21e0

SHA512
175e5b6ae2c3a2932f5b73e11ca4a2a4edc942d325dd80b77c6bd11de07dcbb9900635b21548703a1152950718b7c88d2231293fb403e191470ecdd5b3c89b88

Download Submit
memory/2216-14-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2216-28-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2368-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2368-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2368-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2368-12-0x0000000002C00000-0x0000000002D2D000-memory.dmp

Filesize
1.2MB

Download
memory/2368-11-0x0000000002C00000-0x0000000002D2D000-memory.dmp

Filesize
1.2MB

Download
memory/2368-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download