c80337e0b02f96e0f77f157bad962df7ef6ca393b8c8b129425c0ebe55d07bc5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
Size

310KB
MD5

2d50182862c8805f1a6f7dc2b70e8291
SHA1

896879024b635f8608a4274a63f3c677c1cc0aa8
SHA256

c80337e0b02f96e0f77f157bad962df7ef6ca393b8c8b129425c0ebe55d07bc5
SHA512

4eb7de747d9e97404d20ed8b46f5e582b08f7232154db294dc4f7c289a6750ea38bd7d4fd9a23fd6bd3f5053db6afdfff70ba2fc471d1189ea66d9a57e289985
SSDEEP

6144:Te5KMTNzzfnZNMcWB4/AYOP4gvgpIyrHbrVZlfJ73dFWylPGFcr8:TMNnTW4/AXPMpzx5lPecY

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4076	kDdFmBp12900.exe

Executes dropped EXE 1 IoCs

pid	Process
4076	kDdFmBp12900.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-0-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3128-4-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3128-2-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3128-5-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/4076-17-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/4076-18-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3128-23-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/4076-27-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/4076-32-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3128-43-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kDdFmBp12900 = "C:\\ProgramData\\kDdFmBp12900\\kDdFmBp12900.exe"	kDdFmBp12900.exe

Program crash 30 IoCs

pid	pid_target	Process	procid_target
2128	3128	WerFault.exe	79
2960	3128	WerFault.exe	79
4492	4076	WerFault.exe	86
3152	3128	WerFault.exe	79
4012	4076	WerFault.exe	86
4712	3128	WerFault.exe	79
368	4076	WerFault.exe	86
1980	3128	WerFault.exe	79
5072	4076	WerFault.exe	86
4796	3128	WerFault.exe	79
4952	4076	WerFault.exe	86
1852	3128	WerFault.exe	79
1664	4076	WerFault.exe	86
3276	3128	WerFault.exe	79
3424	4076	WerFault.exe	86
3372	4076	WerFault.exe	86
3868	4076	WerFault.exe	86
2372	4076	WerFault.exe	86
2996	4076	WerFault.exe	86
468	4076	WerFault.exe	86
4356	4076	WerFault.exe	86
2944	4076	WerFault.exe	86
4804	4076	WerFault.exe	86
2284	4076	WerFault.exe	86
3388	4076	WerFault.exe	86
2524	4076	WerFault.exe	86
4888	3128	WerFault.exe	79
4368	3128	WerFault.exe	79
3472	4076	WerFault.exe	86
704	4076	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
Token: SeDebugPrivilege	4076	kDdFmBp12900.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4076	kDdFmBp12900.exe
4076	kDdFmBp12900.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4076	3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe	86
PID 3128 wrote to memory of 4076	3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe	86
PID 3128 wrote to memory of 4076	3128	2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 552
  2⤵
  - Program crash
  PID:2128
- C:\ProgramData\kDdFmBp12900\kDdFmBp12900.exe
  "C:\ProgramData\kDdFmBp12900\kDdFmBp12900.exe" "C:\Users\Admin\AppData\Local\Temp\2d50182862c8805f1a6f7dc2b70e8291_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 620
    3⤵
    - Program crash
    PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 628
    3⤵
    - Program crash
    PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 788
    3⤵
    - Program crash
    PID:368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 788
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 840
    3⤵
    - Program crash
    PID:4952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 848
    3⤵
    - Program crash
    PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1008
    3⤵
    - Program crash
    PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1072
    3⤵
    - Program crash
    PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1224
    3⤵
    - Program crash
    PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1276
    3⤵
    - Program crash
    PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1444
    3⤵
    - Program crash
    PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1660
    3⤵
    - Program crash
    PID:468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 660
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1632
    3⤵
    - Program crash
    PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1732
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1844
    3⤵
    - Program crash
    PID:2284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1864
    3⤵
    - Program crash
    PID:3388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 648
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1768
    3⤵
    - Program crash
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 792
    3⤵
    - Program crash
    PID:704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 620
  2⤵
  - Program crash
  PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 792
  2⤵
  - Program crash
  PID:3152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 792
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 844
  2⤵
  - Program crash
  PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 852
  2⤵
  - Program crash
  PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1012
  2⤵
  - Program crash
  PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1020
  2⤵
  - Program crash
  PID:3276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 640
  2⤵
  - Program crash
  PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 140
  2⤵
  - Program crash
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3128 -ip 3128
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3128 -ip 3128
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3128 -ip 3128
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4076 -ip 4076
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3128 -ip 3128
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4076 -ip 4076
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3128 -ip 3128
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4076 -ip 4076
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3128 -ip 3128
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4076 -ip 4076
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3128 -ip 3128
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4076 -ip 4076
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3128 -ip 3128
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4076 -ip 4076
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4076 -ip 4076
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4076 -ip 4076
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4076 -ip 4076
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4076 -ip 4076
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4076 -ip 4076
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4076 -ip 4076
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4076 -ip 4076
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4076 -ip 4076
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4076 -ip 4076
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4076 -ip 4076
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4076 -ip 4076
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3128 -ip 3128
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3128 -ip 3128
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4076 -ip 4076
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4076 -ip 4076
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kDdFmBp12900\kDdFmBp12900.exe

Filesize
310KB

MD5
daad8f5dfacdf88081430a8dde447081

SHA1
05da6fbb11c14cbeae566218f74d71ab7a3566a5

SHA256
a11a65bf8028274ce58fd1674036897b9becb0172b7f6786a2cd216d9d2c7870

SHA512
3f967c2fae44d37774ea62640c24c0fd33cd039fcf410332837ff0b9367bfc4d5030989e23e32831af63ca920273f14dc9c390f0b3923826c40191f38bdba0aa

Download Submit
memory/3128-30-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3128-4-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3128-3-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3128-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3128-5-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3128-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3128-43-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3128-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4076-17-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4076-27-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4076-32-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4076-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download