6d6611463a02ae95421da86ea2be11fbeb260fddfdedb20be9561616ff33ced5

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
Size

321KB
MD5

2e6d7f6edddd23b9cbcb658c0858423b
SHA1

e0d876179a45943dc6f5bcec68f89ad96fdfea1d
SHA256

6d6611463a02ae95421da86ea2be11fbeb260fddfdedb20be9561616ff33ced5
SHA512

44497cbb7b0c2b6bbb448b5ed4ddff8960c08156458f5e0c2b5ef84ec9b1ebad48bf0632c1860d8c0f62fd7b94ab2431dc940ae7126cc7dd981abac1df070d8a
SSDEEP

6144:gXUApieRR7pV97XvJH5cXlGMTVI8xulY0OqtDXj:BA0k7zZcVGWxuxOe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3008	notepad.exe
2904	calc.exe
2780	freebsd.exe

Loads dropped DLL 27 IoCs

pid	Process
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
3008	notepad.exe
3008	notepad.exe
3008	notepad.exe
2780	freebsd.exe
2780	freebsd.exe
2780	freebsd.exe
2904	calc.exe
2904	calc.exe
2904	calc.exe
1852	WerFault.exe
1852	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
2180	WerFault.exe
1852	WerFault.exe
1008	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1852	2780	WerFault.exe
2180	3008	WerFault.exe	30
1008	2904	WerFault.exe	31

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 3008	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2904	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2780	2252	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 3008 wrote to memory of 2180	3008	notepad.exe	33
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2780 wrote to memory of 1852	2780	freebsd.exe	34
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35
PID 2904 wrote to memory of 1008	2904	calc.exe	35

C:\Users\Admin\AppData\Local\Temp\2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\notepad.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2180
- C:\Users\Admin\AppData\Local\Temp\calc.exe
  C:\Users\Admin\AppData\Local\Temp\calc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1008
- C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\freebsd.exe

Filesize
27KB

MD5
a2b68773a9f02e87cd28fac4d1b5b07d

SHA1
bef3838c5b05bb5bad99a40b8bfca85e437bf2b4

SHA256
d2dcfbc6ba2b9a4e2d7ca966965a50123c6a3d2416e46105888ec62ef162658f

SHA512
5073ac55e2b1abd30255d1014ff0214c448a3558a144cfcaa431fa589c2492d4de94ba20020b4f5e869be0908234a2166f9d6adff21b8e019c1c7868e34ddbfa

Download Submit
\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
50KB

MD5
d62e4ded2a8d67d1a7c8f171c5ad8b37

SHA1
aa06d54927fe8c5decded29dfbebb78c72ec326c

SHA256
9857032261d7400033793fd51824568e78c22226553c9dd4f628a1e90ad82a6a

SHA512
3e4d4e0e09da5f4e18e9bbe07d42140f49a8f52f5c6c450c9286c9aff30804904f098b1349b20c4c4b50ba0b18e9b48289c140e491e7b569f3f3965ed2581499

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
14KB

MD5
228cf7493dca4189e57d8fa20f47bb54

SHA1
57f5627b533012f43895551dd2c4576cb4d56a8f

SHA256
a902c6d53743a696ab1d6b75d5e8c4fd4ba59370faa223224de66582663e328a

SHA512
3ffff81258739161c77b5f342ff22337dbf458a1e4ee3f2c13cd2414068bb6185ae3f699e7b24c94d19b247fa8d178f54804bae6c09c192cdff35f86387062be

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8104.tmp\DcryptDll.dll

Filesize
10KB

MD5
69dc2ed40717e5a0dfa3feaa902f448e

SHA1
07a6a0b6028a92e0c822cfe9b119aa1e81b28a79

SHA256
73e8489b06789803dcab0f4bcae4281f1477ec652f80714c3b78671f73cfefad

SHA512
f41e457466fcc979864829861bf421ad2589ec6b5afc81d19424f7af285ce1fb7ce25cc4067e53cd379621b5b8098882210e4535a4d53555b7816edcc2186a3c

Download Submit
memory/2252-18-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2252-26-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3008-72-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download