87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe
Size

170KB
MD5

3ce1ae2605aa800c205ef63a45ffdbfa
SHA1

8b592b4413cfa168cd704d9943812ffb0b941430
SHA256

87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93
SHA512

25cfd395b022f1216eac7735c6dbc973e388a812a7e710296f194a3018cf40abe459b8bfcecfba652de1f73d5312ad556ac4ab5978354a919ccda15953b96cf8
SSDEEP

3072:8OPTvYsKQrML6dVuamswMeONJZFoC3KwHaxcFjgny86g8jXBu:8O7YENdVutswMZF5KwHaxCwy86ZBu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2876	KB01061861.exe
2884	kb01061861.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe
2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe
2876	KB01061861.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB01061861.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB01061861.exe\""	kb01061861.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 2876 set thread context of 2884	2876	KB01061861.exe	34

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2740	560	WerFault.exe	28
2804	2876	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	kb01061861.exe
2884	kb01061861.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe
2884	kb01061861.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2884	kb01061861.exe
Token: SeSecurityPrivilege	2740	WerFault.exe
Token: SeDebugPrivilege	2740	WerFault.exe
Token: SeSecurityPrivilege	2844	cmd.exe
Token: SeSecurityPrivilege	2876	KB01061861.exe
Token: SeSecurityPrivilege	2804	WerFault.exe
Token: SeDebugPrivilege	2804	WerFault.exe
Token: SeSecurityPrivilege	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2716	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	29
PID 560 wrote to memory of 2740	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	30
PID 560 wrote to memory of 2740	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	30
PID 560 wrote to memory of 2740	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	30
PID 560 wrote to memory of 2740	560	3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	31
PID 2716 wrote to memory of 2844	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	31
PID 2716 wrote to memory of 2844	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	31
PID 2716 wrote to memory of 2844	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	31
PID 2716 wrote to memory of 2876	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	32
PID 2716 wrote to memory of 2876	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	32
PID 2716 wrote to memory of 2876	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	32
PID 2716 wrote to memory of 2876	2716	3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe	32
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2884	2876	KB01061861.exe	34
PID 2876 wrote to memory of 2804	2876	KB01061861.exe	35
PID 2876 wrote to memory of 2804	2876	KB01061861.exe	35
PID 2876 wrote to memory of 2804	2876	KB01061861.exe	35
PID 2876 wrote to memory of 2804	2876	KB01061861.exe	35
PID 2884 wrote to memory of 560	2884	kb01061861.exe	28
PID 2884 wrote to memory of 2740	2884	kb01061861.exe	30
PID 2884 wrote to memory of 2844	2884	kb01061861.exe	31
PID 2884 wrote to memory of 2876	2884	kb01061861.exe	32
PID 2884 wrote to memory of 2804	2884	kb01061861.exe	35

C:\Users\Admin\AppData\Local\Temp\3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- \??\c:\users\admin\appdata\local\temp\3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe
  "c:\users\admin\appdata\local\temp\3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\exp2194.tmp.bat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Users\Admin\AppData\Roaming\KB01061861.exe
    "C:\Users\Admin\AppData\Roaming\KB01061861.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - \??\c:\users\admin\appdata\roaming\kb01061861.exe
      "c:\users\admin\appdata\roaming\kb01061861.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 144
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 144
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exp2194.tmp.bat

Filesize
286B

MD5
2c1f763190eadd10dc70f8a550f205bf

SHA1
b116451ca1cd74040a3aeb7ba9f4ce63b394a0dc

SHA256
1a78a34662fb41d4c4087bc4dccb57319955ae470da07652d25842b3a9ee2105

SHA512
f60b8c0ee2359e1845ab2b162b81d3f760e86a4583fa6e568dcdd1bd9ba0a1c1c0b3d1bf2ce7fb6562a97ce5177a0de50ea3a9b49c66b7f05598d50f31e219ed

Download Submit
\Users\Admin\AppData\Roaming\KB01061861.exe

Filesize
170KB

MD5
3ce1ae2605aa800c205ef63a45ffdbfa

SHA1
8b592b4413cfa168cd704d9943812ffb0b941430

SHA256
87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93

SHA512
25cfd395b022f1216eac7735c6dbc973e388a812a7e710296f194a3018cf40abe459b8bfcecfba652de1f73d5312ad556ac4ab5978354a919ccda15953b96cf8

Download Submit
memory/560-190-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/560-100-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/560-62-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/2716-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-16-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-29-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-15-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-6-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2740-101-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-79-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-78-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-74-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-75-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-64-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2740-82-0x0000000000110000-0x0000000000129000-memory.dmp

Filesize
100KB

Download
memory/2804-103-0x00000000001D0000-0x00000000001E9000-memory.dmp

Filesize
100KB

Download
memory/2804-71-0x00000000001D0000-0x00000000001E9000-memory.dmp

Filesize
100KB

Download
memory/2804-192-0x00000000001D0000-0x00000000001E9000-memory.dmp

Filesize
100KB

Download
memory/2844-66-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/2844-72-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/2844-189-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/2876-191-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/2876-68-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/2876-102-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/2884-53-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-51-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-50-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-49-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-187-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-54-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-52-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download