5de9ccd55f6b510562635b6d8c4b2ff5e7ec53ed0769262a757e0b3424dbd888

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe
Size

719KB
MD5

4427baa6b543a972c8a886ba39e9763b
SHA1

8c36edbce5cdfe77edf09041ee0aaa8f33b2a82c
SHA256

5de9ccd55f6b510562635b6d8c4b2ff5e7ec53ed0769262a757e0b3424dbd888
SHA512

6e9f4127b4ba925b115536bfa1873d96b0228ec4c05fa7e17837e5bd0f419c0fffeea5fcffd6e7bbfc1b4047bf57d0d095ab778338c0c6d994bf50a96511bcde
SSDEEP

12288:tTqeQ8YSnAX+MM2RpBM487Ixii64/2hF3Z4mxxnDqVTVOCDX:tTq0n2jneIxii64/2hQmX2VTzb

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2532	2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	2532	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2532	2004	4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe	83
PID 2004 wrote to memory of 2532	2004	4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe	83
PID 2004 wrote to memory of 2532	2004	4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4427baa6b543a972c8a886ba39e9763b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 544
    3⤵
    - Program crash
    PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
356KB

MD5
322d30f2a7817cb8fadb794b95da969f

SHA1
6cd6089e57b423daf06256f1b4c5aca1ea00ae54

SHA256
38e4c8bf4e67ddafe5d999557e458ab09d0ddc5a727e94c76ed93d9375aa07a4

SHA512
46e9ec188c8bf83ed249f15a09cb9496eb37555554a1d0c80689ada35eaa46cc9f1da4cf64d760b84e2864a524697fa9d2bc3d49ce126396af8350986069653c

Download Submit
memory/2004-3-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-2-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-0-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-5-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-7-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-1-0x000000000106F000-0x0000000001070000-memory.dmp

Filesize
4KB

Download
memory/2004-11-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-10-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-6-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-4-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2004-17-0x0000000001000000-0x00000000010C3000-memory.dmp

Filesize
780KB

Download
memory/2532-15-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads