01db040f498ed0b4b3df6337f1dd5ff472876bd70a72f96543966302ee97bfb8

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
Size

174KB
MD5

420973540d2d7fbde1d20890815eb81b
SHA1

b39b10aa5800dd4ecb3f33855e48a38c8c5f0b93
SHA256

01db040f498ed0b4b3df6337f1dd5ff472876bd70a72f96543966302ee97bfb8
SHA512

7c6a5ba161ef4b3df885baed7cfd89fe39c9cd7be64f09241864603970b68983f314b25ebc06db78e6d0e6d62fd2ff85f43deabda952334c19d19a9a6bf80af0
SSDEEP

3072:scDV6Az1lWgFvYGnJd6KpZV3uTN9WU/G9B32w590Kqm/32nzNvI+x/tW:NQAKgFvYGJd6KpZV3uTN9WU/G9BGw59d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	CryptedFile.exe

Loads dropped DLL 3 IoCs

pid	Process
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2728	WerFault.exe	31

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2728	2924	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2728	2924	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2728	2924	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2728	2924	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2648	2728	CryptedFile.exe	32
PID 2728 wrote to memory of 2648	2728	CryptedFile.exe	32
PID 2728 wrote to memory of 2648	2728	CryptedFile.exe	32
PID 2728 wrote to memory of 2648	2728	CryptedFile.exe	32

C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

Filesize
10KB

MD5
c74e581603935190248b357711862d72

SHA1
68e52d3c68c2903b6391646e230948d14d012471

SHA256
d75800dad7f80def296ea8416c8a8902c38ab61472c5a9ccdfd9eed85448c4dc

SHA512
fc882c1392341cab3146e94eba92438799a6b604590fe0f2f9db84e7662ecec0e5bc4c6375d8ae6cbceff5257c3f9f74244f131f8dfa31d71871c7202798d519

Download Submit
memory/2728-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2924-0-0x000007FEF556E000-0x000007FEF556F000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-2-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-4-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-12-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download