f6827b4c797301092baaf0ebc71aaea2c31fea74ba16caeaf07dee625270573d

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe
Size

5.3MB
MD5

187e9355c15aa4ae26d68b87d5180f08
SHA1

48872adfa9a107d743bd820e886e0a99888530db
SHA256

f6827b4c797301092baaf0ebc71aaea2c31fea74ba16caeaf07dee625270573d
SHA512

fbe18bcd6b8629b6b42506b78233c0f903265e9f18502b7083f2b89a3120dd865ce9220051b188e55a5443d2bbe71d4ed030de4735a89a9a9dbec555bb582d40
SSDEEP

98304:A4FVT+HoqTs+joYMl9CYysqLRFce2EfQp/I9bbiSwI2mrmRlXTY9y8ASvjNe7ISJ:/FVT+IqnMYMqxsqFWe2XKHrhmRlXTY9U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	setup.exe

Loads dropped DLL 8 IoCs

pid	Process
3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1456	948	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 3000 wrote to memory of 948	3000	187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe	28
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29
PID 948 wrote to memory of 1456	948	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\187e9355c15aa4ae26d68b87d5180f08_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\minimax_plus_3222\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\minimax_plus_3222\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 348
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\minimax_plus_3222\SETUP.exe

Filesize
817KB

MD5
5d3baf0e1efe7313cc2b74a4df5ac8cf

SHA1
416916c048ed1dd2d54d8a1d149eb1705cddde85

SHA256
4454fb32a1dd04dfb93ebd5bb1e4b6c56f7ff72e2328180d9b7aa79b3022ff4f

SHA512
c79a3f1abddec7dcd51b0dd054d864bb46a326369eb31bc16e90326e1be97151dc2b92ce8fa35183b017c46ba6cf7db81ae0ad77b5e6c22bb94510b61e751796

Download Submit
memory/948-216-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download