529ae5e2605da6b2440e0eb126aa67c74c2bd12d1d4844e9ca1a3954d4c305db

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe
Size

511KB
MD5

19a6d189f6f37286f7cfaa0963d86a63
SHA1

50860bcbe75fabeb2eaf7310989dca869f28bc3e
SHA256

529ae5e2605da6b2440e0eb126aa67c74c2bd12d1d4844e9ca1a3954d4c305db
SHA512

0ee9d4f1ffc4e748351c9f848b77b2089097a55abbeecb38fc96f5a924bc59dd1c39fb0872c7d010b666e933c678c562a8d31f0ce488fce6f5ca8520d69dff9d
SSDEEP

6144:RuaFmrZC9YOtyRkPyn9uA5TQfJAGUImt9SV72iEeTBR0:R9WZC9txPyQAKUImTj5eTv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4380	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QKwoCW\svchost.exe	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\QKwoCW\svchost.exe	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\QJrMdEJ\DSHqqOYq.dll	svchost.exe
File opened for modification	C:\Windows\QJrMdEJ\DSHqqOYq.dll	svchost.exe
File created	C:\Windows\FLfscuDs.dll	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe
File created	C:\Windows\CLOG.txt	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe
File created	C:\Windows\TCCqrVxS.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2248	4380	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4380	svchost.exe
4380	svchost.exe
4380	svchost.exe
4380	svchost.exe
4380	svchost.exe
4380	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4380	2132	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe	81
PID 2132 wrote to memory of 4380	2132	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe	81
PID 2132 wrote to memory of 4380	2132	19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19a6d189f6f37286f7cfaa0963d86a63_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\QKwoCW\svchost.exe
  "C:\Program Files (x86)\QKwoCW\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1216
    3⤵
    - Program crash
    PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QKwoCW\svchost.exe

Filesize
512KB

MD5
2255386e23d6cac4884c1ad3f672cf6d

SHA1
fc7777d48e0d54b852fd96d426a269ab802dcb6f

SHA256
f2da71c87094cd915c33dd22970a50de1ded64cd22b2a8c4575c8d89abfd4869

SHA512
b567acfbfdce86da84cd93c83973dd2ce1de5e8ae2bebe532ce6c58721808e0c335d7ecaa9945e25f4eee0912ebb1c78fb0bdac28e1282be2ce2f04b4a8a1ba1

Download Submit
C:\Windows\CLOG.txt

Filesize
165B

MD5
37c746f630e2d956c8ae7d93452b953e

SHA1
8d81dae1567016b02d3832414047ba923bb9b759

SHA256
7b1a3ad9eac24d031d0d0cded62a9d35467c8d8bf22b634b78e7aa6c75ded666

SHA512
7242a90ec9c9930d77df551b0360da590eb4a24a110dc7b965baf487a22be3c0d83be365eb0e11c8669bd28cb2df7e95764641efb2836706ccff6e73a4b410ac

Download Submit
memory/2132-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2132-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4380-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4380-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4380-52-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download