ff7b9b2ef6e5eecb760e23ea502e4010c9e94d7c673ad5c5aa742160b455b24d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3759203736b142ce803638bc75207ef2_JaffaCakes118.exe
Size

7.8MB
MD5

3759203736b142ce803638bc75207ef2
SHA1

a86de2fdca17d24b5a73d8ed75bc983b17565e74
SHA256

ff7b9b2ef6e5eecb760e23ea502e4010c9e94d7c673ad5c5aa742160b455b24d
SHA512

57a792beaa70527c12250081c5114849685366b3cee84b569d55700a434117d5db201f30eb72e9534afa22b892df31a8c02b6e7bf36eebe0b7da47cb5d9649d5
SSDEEP

196608:TZf68zZ1NeQZ8zZB5d3xAzZ1NeQZ8zZ+jkgzkA+BzZ1NeQZ8zZB5d3xAzZ1NeQZw:Vf6ONeii30NeivwAENeii30Nei

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0009000000023443-12.dat	upx
behavioral2/memory/2392-13-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3512	2392	WerFault.exe	86
2300	2392	WerFault.exe	86
2436	2392	WerFault.exe	86
232	2392	WerFault.exe	86
1064	2392	WerFault.exe	86
564	2392	WerFault.exe	86
1084	2392	WerFault.exe	86
1036	2392	WerFault.exe	86
2116	2392	WerFault.exe	86
3108	2392	WerFault.exe	86
2868	2392	WerFault.exe	86
2496	2392	WerFault.exe	86
2336	2392	WerFault.exe	86
4196	2392	WerFault.exe	86
944	2392	WerFault.exe	86
544	2392	WerFault.exe	86

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3672	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2996	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2996	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe
2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2392	2996	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	86
PID 2996 wrote to memory of 2392	2996	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	86
PID 2996 wrote to memory of 2392	2996	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	86
PID 2392 wrote to memory of 3672	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	88
PID 2392 wrote to memory of 3672	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	88
PID 2392 wrote to memory of 3672	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	88
PID 2392 wrote to memory of 3232	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	90
PID 2392 wrote to memory of 3232	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	90
PID 2392 wrote to memory of 3232	2392	3759203736b142ce803638bc75207ef2_JaffaCakes118.exe	90
PID 3232 wrote to memory of 3220	3232	cmd.exe	92
PID 3232 wrote to memory of 3220	3232	cmd.exe	92
PID 3232 wrote to memory of 3220	3232	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe" /TN SSr3lSGI950b /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN SSr3lSGI950b > C:\Users\Admin\AppData\Local\Temp\jCeCIZ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN SSr3lSGI950b
      4⤵
      PID:3220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 616
    3⤵
    - Program crash
    PID:3512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636
    3⤵
    - Program crash
    PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 716
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 644
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 740
    3⤵
    - Program crash
    PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 780
    3⤵
    - Program crash
    PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1456
    3⤵
    - Program crash
    PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1520
    3⤵
    - Program crash
    PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1732
    3⤵
    - Program crash
    PID:2116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1696
    3⤵
    - Program crash
    PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1528
    3⤵
    - Program crash
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1708
    3⤵
    - Program crash
    PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1732
    3⤵
    - Program crash
    PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1748
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1760
    3⤵
    - Program crash
    PID:944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 712
    3⤵
    - Program crash
    PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2392 -ip 2392
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2392 -ip 2392
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2392 -ip 2392
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2392 -ip 2392
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2392 -ip 2392
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2392 -ip 2392
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2392 -ip 2392
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2392 -ip 2392
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2392 -ip 2392
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2392 -ip 2392
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2392 -ip 2392
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2392 -ip 2392
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2392 -ip 2392
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2392 -ip 2392
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2392 -ip 2392
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2392 -ip 2392
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3759203736b142ce803638bc75207ef2_JaffaCakes118.exe

Filesize
7.8MB

MD5
4bdf70abd7229150ce80e324374bbd65

SHA1
bf621dff764c732d7263a6a3fbaefd7223d520bb

SHA256
23be02c1746ecb0e10d62282e17725eb44c6c83cca8a08b59b4893c8b3958b53

SHA512
33488e49b6c308b8bb95c3e3bc5cef0da66da02992f720f678571bf12a8e527391ad5801237daa73fd3fc844d499064fe2bb7f58c9ab26840531d50d0048d7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCeCIZ.xml

Filesize
1KB

MD5
213131474c8eb53bcd392f14276b1373

SHA1
02d93203af1b7e0a5fd69acf93e30e967138e930

SHA256
cedcbb5f52e5a799fb1b204b20a84c0be6cdf9d2c753dfb858b76bd7c08b05a8

SHA512
cff51b7c2bb07b05704b01c8a2572b20a31d977bfc6658dd9f56e406c5e10aa6e63f3313be3c2ddeb9d21465a3c31ea303958e5861b57b4323b8dd42ba40d807

Download Submit
memory/2392-13-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2392-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2392-21-0x00000000016E0000-0x000000000175E000-memory.dmp

Filesize
504KB

Download
memory/2392-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2392-39-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2996-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2996-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2996-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2996-7-0x0000000025050000-0x00000000250CE000-memory.dmp

Filesize
504KB

Download
memory/2996-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads