c8e26282d16d383a962f67616a11a1338377b4f1668c57e2e652b447916ab66b

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18098637720bdce77eeb119276a3049d_JaffaCakes118.exe
Size

114KB
MD5

18098637720bdce77eeb119276a3049d
SHA1

e67d9d54fdd8e08b5b252f76d3c9d012a12cba5a
SHA256

c8e26282d16d383a962f67616a11a1338377b4f1668c57e2e652b447916ab66b
SHA512

0e3a0cad5989d4a57d7c18dfe87fb98ef1e41bc70126eb180bedd7baecc4ff73136ced754ec4cf9d5a59cd07bb0f8cdf44a833afbb60be561f57e1d7dd35caba
SSDEEP

3072:WNyah0mJ8NAPp/hag8c5WDElgsHBiod+ddczWRxY:WwPsppaghX6sHb8uqRxY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	matrix33680.exe

Loads dropped DLL 8 IoCs

pid	Process
1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe
1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe
2268	matrix33680.exe
2268	matrix33680.exe
2268	matrix33680.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	2268	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2268	1868	18098637720bdce77eeb119276a3049d_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29
PID 2268 wrote to memory of 2292	2268	matrix33680.exe	29

C:\Users\Admin\AppData\Local\Temp\18098637720bdce77eeb119276a3049d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18098637720bdce77eeb119276a3049d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\matrix33680.exe
  C:\Users\Admin\AppData\Local\Temp\matrix33680.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\matrix33680.exe

Filesize
64KB

MD5
677dd6a715290bfa453cda92e6e00da4

SHA1
540f607d63f8715feaf53bca2ae96f727a9b7299

SHA256
81f17cc0d8b8c45468d024fcadca3242b1844989086103e7b5800c7a49861f63

SHA512
89839fc24b284ebfb4b840d6516c924726f586ac20314e9a8a0d1bffe66a61afdb41afba2a6baaffd27251c94f7facb817bf9a972c43517d0192a1685db6b094

Download Submit
memory/2268-14-0x000000000040A000-0x0000000000415000-memory.dmp

Filesize
44KB

Download
memory/2268-18-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download