Overview

overview

7

Static

static

3

432bb2e967...18.exe

windows7-x64

7

432bb2e967...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe

  • Size

    711KB

  • MD5

    432bb2e967e63a9e81fbb18e3fdf4fea

  • SHA1

    fe2f329bcf2523b7a38c5a8477c78ade8f28b517

  • SHA256

    c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f

  • SHA512

    88361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1

  • SSDEEP

    12288:FMViJAFvKqrhxrVsVpp7gx6v6XzD/Dgg6P7EBf8tsMm9nAO3BT5UyFLr:SiKFv5jsHp7iXzDaP7+6O3B9F3

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 220
      2⤵
      • Program crash
      PID:680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 228
      2⤵
      • Program crash
      PID:4224
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
    1⤵
      PID:852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5084 -ip 5084
      1⤵
        PID:944
      • C:\Windows\servers.exe
        C:\Windows\servers.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 216
          2⤵
          • Program crash
          PID:5024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 224
          2⤵
          • Program crash
          PID:1268
        • C:\WINDOWS\SysWOW64\svchost.exe
          C:\WINDOWS\system32\svchost.exe
          2⤵
            PID:3404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 12
              3⤵
              • Program crash
              PID:3408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1508 -ip 1508
          1⤵
            PID:1544
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1508 -ip 1508
            1⤵
              PID:1180
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3404 -ip 3404
              1⤵
                PID:536

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\servers.exe
                Filesize

                711KB

                MD5

                432bb2e967e63a9e81fbb18e3fdf4fea

                SHA1

                fe2f329bcf2523b7a38c5a8477c78ade8f28b517

                SHA256

                c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f

                SHA512

                88361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1

                Download Submit

              • memory/1508-6-0x0000000000400000-0x00000000004C8000-memory.dmp

                Filesize

                800KB

                Download

              • memory/1508-7-0x0000000000870000-0x0000000000871000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1508-11-0x0000000000400000-0x00000000004C8000-memory.dmp

                Filesize

                800KB

                Download

              • memory/3404-9-0x0000000000400000-0x00000000004C8000-memory.dmp

                Filesize

                800KB

                Download

              • memory/5084-0-0x0000000000400000-0x00000000004C8000-memory.dmp

                Filesize

                800KB

                Download

              • memory/5084-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5084-8-0x0000000000400000-0x00000000004C8000-memory.dmp

                Filesize

                800KB

                Download