70b4f96142dff1ee461be631ac40e1ded2b425dd1223d2e1d7f89f6513ca7372

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe
Size

387KB
MD5

3de39d311293a9cdbef5e557b92ddf61
SHA1

9bc9f526f22861325ef6aa558db2ef16ef6a9cbc
SHA256

70b4f96142dff1ee461be631ac40e1ded2b425dd1223d2e1d7f89f6513ca7372
SHA512

e5b79492f8dacc82acdfaeb753baefb8235ec9e067a080840f92abb874608ecc6421625768588b4cfbf997e9eefb0ee5f3a429da3db7c84ccf002ecb25da3227
SSDEEP

6144:I9TMlSVMM9TOEvtruUnIKvS+eWjpMSRjiQgSsDlS+jlS:IhnHhBt6UnIceEs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2904	install_flash_player.exe
2236	Beaver's E-Mail Bomber.exe
2720	install_flash_player.exe
2624	wuamgard.exe
2128	wuamgard.exe
344	wuamgard.exe
1576	wuamgard.exe
2952	wuamgard.exe
1684	wuamgard.exe
2796	wuamgard.exe
2196	wuamgard.exe
1964	wuamgard.exe
2224	wuamgard.exe
1376	wuamgard.exe
844	wuamgard.exe
2484	wuamgard.exe
700	wuamgard.exe
1032	wuamgard.exe
2456	wuamgard.exe
2696	wuamgard.exe
1676	wuamgard.exe
2832	wuamgard.exe
2880	wuamgard.exe

Loads dropped DLL 64 IoCs

pid	Process
2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe
2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe
2904	install_flash_player.exe
2904	install_flash_player.exe
2904	install_flash_player.exe
2904	install_flash_player.exe
2720	install_flash_player.exe
2720	install_flash_player.exe
2720	install_flash_player.exe
2720	install_flash_player.exe
2720	install_flash_player.exe
2624	wuamgard.exe
2624	wuamgard.exe
2624	wuamgard.exe
2624	wuamgard.exe
2128	wuamgard.exe
2128	wuamgard.exe
2128	wuamgard.exe
2128	wuamgard.exe
2128	wuamgard.exe
344	wuamgard.exe
344	wuamgard.exe
344	wuamgard.exe
344	wuamgard.exe
1576	wuamgard.exe
1576	wuamgard.exe
1576	wuamgard.exe
1576	wuamgard.exe
1576	wuamgard.exe
2952	wuamgard.exe
2952	wuamgard.exe
2952	wuamgard.exe
2952	wuamgard.exe
1684	wuamgard.exe
1684	wuamgard.exe
1684	wuamgard.exe
1684	wuamgard.exe
1684	wuamgard.exe
2796	wuamgard.exe
2796	wuamgard.exe
2796	wuamgard.exe
2796	wuamgard.exe
2196	wuamgard.exe
2196	wuamgard.exe
2196	wuamgard.exe
2196	wuamgard.exe
2196	wuamgard.exe
1964	wuamgard.exe
1964	wuamgard.exe
1964	wuamgard.exe
1964	wuamgard.exe
2224	wuamgard.exe
2224	wuamgard.exe
2224	wuamgard.exe
2224	wuamgard.exe
2224	wuamgard.exe
1376	wuamgard.exe
1376	wuamgard.exe
1376	wuamgard.exe
1376	wuamgard.exe
844	wuamgard.exe
844	wuamgard.exe
844	wuamgard.exe
844	wuamgard.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	install_flash_player.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File opened for modification	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	install_flash_player.exe
File created	C:\Windows\SysWOW64\wuamgard.exe	wuamgard.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2720	2904	install_flash_player.exe	32
PID 2624 set thread context of 2128	2624	wuamgard.exe	34
PID 344 set thread context of 1576	344	wuamgard.exe	37
PID 2952 set thread context of 1684	2952	wuamgard.exe	39
PID 2796 set thread context of 2196	2796	wuamgard.exe	41
PID 1964 set thread context of 2224	1964	wuamgard.exe	43
PID 1376 set thread context of 844	1376	wuamgard.exe	45
PID 2484 set thread context of 700	2484	wuamgard.exe	47
PID 1032 set thread context of 2456	1032	wuamgard.exe	49
PID 2696 set thread context of 1676	2696	wuamgard.exe	51
PID 2832 set thread context of 2880	2832	wuamgard.exe	53

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2904	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2236	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2236	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2236	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2236	2540	3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2904 wrote to memory of 2720	2904	install_flash_player.exe	32
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2720 wrote to memory of 2624	2720	install_flash_player.exe	33
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2624 wrote to memory of 2128	2624	wuamgard.exe	34
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 2128 wrote to memory of 344	2128	wuamgard.exe	36
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 344 wrote to memory of 1576	344	wuamgard.exe	37
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 1576 wrote to memory of 2952	1576	wuamgard.exe	38
PID 2952 wrote to memory of 1684	2952	wuamgard.exe	39
PID 2952 wrote to memory of 1684	2952	wuamgard.exe	39
PID 2952 wrote to memory of 1684	2952	wuamgard.exe	39
PID 2952 wrote to memory of 1684	2952	wuamgard.exe	39
PID 2952 wrote to memory of 1684	2952	wuamgard.exe	39

C:\Users\Admin\AppData\Local\Temp\3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
  "C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
    C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\wuamgard.exe
      C:\Windows\system32\wuamgard.exe 536 "C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 592 "C:\Windows\SysWOW64\wuamgard.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2796
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1964
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1376
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2484
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1032
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2696
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\system32\wuamgard.exe 588 "C:\Windows\SysWOW64\wuamgard.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Windows\SysWOW64\wuamgard.exe
        
        C:\Windows\SysWOW64\wuamgard.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
- C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe"
  2⤵
  - Executes dropped EXE
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe

Filesize
94KB

MD5
b03e54a8188aac4c75915ab44550c033

SHA1
e4362465e02be15c7d7a806205f3b12f94208eda

SHA256
109c443308f6732ab7debeb21052df4ac211149edc9f7c434e06c78640c2ebd5

SHA512
91d22bbdd9bd2a58f8169aa2b70287e5603a5fdfee78b19dbb5139b3219da9aed0b4bd1ea14cf96b89cb6560dac243fd1e71e6aefe5f13c3db1b3b6236dc8dc5

Download Submit
\Users\Admin\AppData\Local\Temp\install_flash_player.exe

Filesize
231KB

MD5
9955cb328648677787bfabf1b953f508

SHA1
b67d75492b84980fc3acbe651b142fb63b9a2f3b

SHA256
9089e1b8ed19287d3a84610760c62ad63bbf5becbf4ea3e6e70934725d00cccf

SHA512
8aa1087adf3953394eb57082e77e65cf425663b9df26bf612f40ea3c78dcdf6080b5608f82a11f1afeaf1fbd2f0f736b49176a33b646373efc8cc516fe39fb77

Download Submit
memory/1576-81-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1684-102-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2128-59-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2128-58-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2196-123-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2224-138-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2236-32-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-33-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-80-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-16-0x000007FEF62AE000-0x000007FEF62AF000-memory.dmp

Filesize
4KB

Download
memory/2720-46-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2720-28-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2720-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-21-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2720-23-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2720-19-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download