093bd19789e92ff9270976c39e4585ce0ffdaad33efd80fc17b77f45acc61faf

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
Size

75KB
MD5

229de532314f23eac3bf6e977ee4f9fe
SHA1

c625beca5a2df7ba9cb62f36ad866b75488de074
SHA256

093bd19789e92ff9270976c39e4585ce0ffdaad33efd80fc17b77f45acc61faf
SHA512

569586d115b56e853612277694ecb0455e98b0a7b599ebaeea6567c595f658bf781a89a21c04e848c5e9c468d2c22c6a65b4b131ec5bd43fd667f8995488d672
SSDEEP

1536:O96bq+91nioxizwg8LAlqVTY3cHIaJQ3sXcEscy1RUGo1NeeY:wx2Ri8gkZwI5JQ3P351RPorY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1484	360RES~1.EXE

Loads dropped DLL 8 IoCs

pid	Process
2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
1484	360RES~1.EXE
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	1484	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1484	2756	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	28
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29
PID 1484 wrote to memory of 2900	1484	360RES~1.EXE	29

C:\Users\Admin\AppData\Local\Temp\229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 264
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE

Filesize
72KB

MD5
5605b899606ca775dd8a6e94e618dae9

SHA1
457107597e33810622fcab56372475aa14e91c90

SHA256
2fa34e298812aa994c787e2d33ae1091e99d93e1eed08a11afa538abb3292296

SHA512
c126057b1a7161ccef97eef495b237a052af766707abfa96ceb4dee56a3d347fc3867afd90181b8897d2e0d17c9bfb98a1362a06add58fe5138793eb4fca3b40

Download Submit
memory/1484-14-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2756-0-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2756-4-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download
memory/2756-11-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download
memory/2756-20-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads