f3070509254ff629966d53a1d8a277311b17b7ded7219d25eb5932f5938cbd8a

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
Size

116KB
MD5

2545c3041f9a3896f657eabb8a169d4f
SHA1

27827bfb4faaea07194988f57d2907aa520cd60f
SHA256

f3070509254ff629966d53a1d8a277311b17b7ded7219d25eb5932f5938cbd8a
SHA512

aef83cfdbeefec91a926b37c3d21e84e471b70bb9046d9b426d235d88cc607a4b25c55763873f6df6a5b3b91aa15a227ff29102aee3d4ac4f63afede53072e4a
SSDEEP

1536:ss+jhi0Ckg2QtJoIvM4EXf5uEp54yhFeK0JJmlhU8KKbDHZyRFOJMeiO0mUQA+jG:xim2QtJoaUFP4Jj8DX0RFOXdTm+Ot

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4496	netprotocol.exe
2072	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 4496 set thread context of 2072	4496	netprotocol.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3540	1424	WerFault.exe	79
4780	4496	WerFault.exe	82

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 1424 wrote to memory of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 1424 wrote to memory of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 1424 wrote to memory of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 1424 wrote to memory of 3000	1424	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	80
PID 3000 wrote to memory of 4496	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	82
PID 3000 wrote to memory of 4496	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	82
PID 3000 wrote to memory of 4496	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	82
PID 4496 wrote to memory of 2072	4496	netprotocol.exe	85
PID 4496 wrote to memory of 2072	4496	netprotocol.exe	85
PID 4496 wrote to memory of 2072	4496	netprotocol.exe	85
PID 4496 wrote to memory of 2072	4496	netprotocol.exe	85
PID 4496 wrote to memory of 2072	4496	netprotocol.exe	85

C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:2072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 448
      4⤵
      Program crash
      PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 460
  2⤵
  - Program crash
  PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1424 -ip 1424
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4496 -ip 4496
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
116KB

MD5
000bb2fe73feae1a5919a88bd3c9d029

SHA1
7cb1d43003bf706bf7fbcfcdfaab7f4a384a68aa

SHA256
82776f45c4e1db930c8a4a10f5a46a040a69fbe476f2cd29987d0b05be1f4537

SHA512
28e61d50af793b172dd17626d76488e330848cde91942ad8689299411086238e26fab2c3c3e8ffe2b65fab247a4f82b8d9446e0bc9faca1061832b034f119334

Download Submit
memory/2072-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2072-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2072-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads