d188955e07254e5a2f367f236ed7e3f199ef8e8c759e48d6f9946d8fbfd0fa9d

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
Size

230KB
MD5

266303070fc1bd775014164fc31d6104
SHA1

e303b77eb9c24e75447229b7c06390fc7272c079
SHA256

d188955e07254e5a2f367f236ed7e3f199ef8e8c759e48d6f9946d8fbfd0fa9d
SHA512

ba3d35218148457e0fec722b8e8230f458effa8c71a08365d2c552de1aa94f70faff09228e5ce6f4e739e41b99018cfd2188cafee5d6ea10889ae8f2b05215f7
SSDEEP

6144:P4IpXL2U8z2XqRe0mLGmZAgirEbka7Y5W:lZL2U8KXBPamZSgY5W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2640	notepad.exe
2664	ns1576.tmp
2532	calc.exe

Loads dropped DLL 22 IoCs

pid	Process
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
2640	notepad.exe
2640	notepad.exe
2640	notepad.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
2664	ns1576.tmp
2664	ns1576.tmp
2532	calc.exe
2532	calc.exe
2532	calc.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2756	2640	WerFault.exe	28
776	2532	WerFault.exe	31

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2640	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2664	1992	266303070fc1bd775014164fc31d6104_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2664 wrote to memory of 2532	2664	ns1576.tmp	31
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2640 wrote to memory of 2756	2640	notepad.exe	32
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33
PID 2532 wrote to memory of 776	2532	calc.exe	33

C:\Users\Admin\AppData\Local\Temp\266303070fc1bd775014164fc31d6104_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\266303070fc1bd775014164fc31d6104_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\notepad.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\nsi1517.tmp\ns1576.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsi1517.tmp\ns1576.tmp" C:\Users\Admin\AppData\Local\Temp\calc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\calc.exe
    C:\Users\Admin\AppData\Local\Temp\calc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 252
      4⤵
      Loads dropped DLL
      Program crash
      PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi1517.tmp\ns1576.tmp

Filesize
6KB

MD5
0ce63a85925c40505e6b18c941043702

SHA1
efa904f4e5149c2dde3ca8300927ee773b302646

SHA256
11089a50c4111fe81136fbfc1e7b6ebab14fd152cebe4a189d61640bf0a58e43

SHA512
22b15300ac21a05377a9f56ad3e3a5401a838faa15a712647810f838d144cd3b8915bd2444a04a3d8eefe0a158835dbcf0dad6144e91f87a55232274ed7e6626

Download Submit
\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
72KB

MD5
84da9f64582ef53b5cbb9e39946d391f

SHA1
064fcba39b755e35ae5bf3cd2862bb2a42948fcf

SHA256
57e1d9d0cda42a25c81041d11dc8b3b84e459f5fcd15def5e799e796d372107b

SHA512
841b2a8b4f46e902d32bb265cbc9a4158336c38a083457d73ef66cbc6f4758995fc911c31af51476e9e17278bbaa0aaadf4c028fff7552ac437be4383eb07268

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
7KB

MD5
3ffe958a44c3933d475b7f1c4385bbbc

SHA1
1e51ea42de03dae3076c9e6d8fe5a96f10ab35c2

SHA256
3785451d6b0601e1dc6aeff7e69d297e8256346f4bf39d1d4880f87a8365047b

SHA512
2e9e2340d03c0cedb89ccb25515e9e5c2cddb66891472ed239339c18b3074939dbbfd27db86c0344c16a2a97dec27cb34a68363cb046605cbeaa7bad64314d16

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1517.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1517.tmp\nsExec.dll

Filesize
6KB

MD5
0526bedbefd95d8ab1330b665e78cc21

SHA1
1a59a1fcd25372b4c8b6dd5d37aa732b15879486

SHA256
01890288a95401c1cbda6d1fc1fca77f29b4547a968f979d552a9b4bfe19428b

SHA512
0018aa562b237aa295a98a8de8a008ae5ecd5bf299a0f0e81011f4114da8dab581bb5d1dd1f953815abaa03d54803722cc611b9e53ffeb64c8996c652559d4b0

Download Submit
memory/1992-37-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/1992-36-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/2532-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2532-69-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2532-71-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2532-70-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2532-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2640-38-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2640-43-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2640-44-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2640-78-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2664-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download