48e5dece48c60df3d2cc89acceff2f06bbaa84e6946ccf58ada14cd1d3924c8f

Analysis

max time kernel
79s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 07:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe
Size

77KB
MD5

0d28f433ed4855079628cf93d127a1bd
SHA1

8227376167e3160f2c2ead536e62b24c49d4a447
SHA256

48e5dece48c60df3d2cc89acceff2f06bbaa84e6946ccf58ada14cd1d3924c8f
SHA512

3692ffab210a932b11b8e54602b4a71ba4fc7c8fd52963a4235c2846f8eadbe40a23481ce1a0129d56d6cfe15e94a8f4f212e098ce9ff478a3a3f7754e6d6fb4
SSDEEP

1536:2VvlvbLBn6xWkX03dUbFUMjt/suG4kFFSuWtr:2Vp3BnAu3dOUMNU4kFFSuWh

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000233ea-6.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	dll-img.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\exblaoer 7.txt	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dll-img.EXE	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3980	2668	WerFault.exe	82
4528	2668	WerFault.exe	82

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2584	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	81
PID 4172 wrote to memory of 2584	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	81
PID 4172 wrote to memory of 2584	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	81
PID 4172 wrote to memory of 2668	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	82
PID 4172 wrote to memory of 2668	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	82
PID 4172 wrote to memory of 2668	4172	0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d28f433ed4855079628cf93d127a1bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\exblaoer 7.txt
  2⤵
  PID:2584
- C:\Windows\SysWOW64\dll-img.EXE
  "C:\Windows\system32\dll-img.EXE"
  2⤵
  - Executes dropped EXE
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 252
    3⤵
    - Program crash
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 284
    3⤵
    - Program crash
    PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2668 -ip 2668
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2668 -ip 2668
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dll-img.EXE

Filesize
73KB

MD5
6c2530eb4751af8d51ba5c44e8ad5589

SHA1
737dba932810d855275cc8e371900513143f0000

SHA256
fa8303cf0688d2e23aeaf25661036af809b08ee580db9bab85c4c46662e14c89

SHA512
57a3df6535b8f92d8080762c1b01028a21dc285be11a3856522694bd21b73926ff409b65f872a40eafefdb837c0f668e4ed645042ea9929f313ade60bf7079d3

Download Submit
C:\Windows\SysWOW64\exblaoer 7.txt

Filesize
332B

MD5
59d00fcf6a15f93f43a1ddab17b6dfc0

SHA1
e6e2ddfd5fcc01804e3518e375e0676b8f38dbd5

SHA256
7362d9b32a9136d49103a59a1ab4ba4bf7384e535b376de066dda00ca8e1e0d3

SHA512
50d47e4bcb45010c014c54973ecb599c127fbb379e6209a5b36523854675bfe76b49f56531a8a445eff66e77cd17c6d3895b2682c45c4d6dd9a58f11726a562f

Download Submit
memory/2668-10-0x0000000010000000-0x0000000010013200-memory.dmp

Filesize
76KB

Download
memory/2668-12-0x0000000010000000-0x0000000010013200-memory.dmp

Filesize
76KB

Download