60053fc2289d803a6b20728e2fccf49e179298aa55cf2c1c202d8715d685cc1c

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 14:53

Target

464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
Size

155KB
MD5

464dad78f117c78acf3dbc4da0afeacc
SHA1

9a874812a1d13a058cee34e9e122b6d2d421c778
SHA256

60053fc2289d803a6b20728e2fccf49e179298aa55cf2c1c202d8715d685cc1c
SHA512

dae4c5872579c3a51cd8fd13c3672dd7e3449ce4cc67cf8b95b14027163ab20f79a9a63d1da49e6b43d1677243d9e68b1ee00fc46944628e527766216cb1a55e
SSDEEP

3072:LAwC5wP7dePo8fCcrb/dEqCa8gxaL/kzU4iTYLyww2wqRjlW16BjPqGn:Lx/MZFEqJ8ouyUlYLyww2wGjnjPvn

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	1916	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3268	1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe	85
PID 1916 wrote to memory of 3268	1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe	85
PID 1916 wrote to memory of 3268	1916	464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\464dad78f117c78acf3dbc4da0afeacc_JaffaCakes118.exe"
  2⤵
  PID:3268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1036
  2⤵
  - Program crash
  PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1916 -ip 1916
1⤵
PID:3928

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nm2ytzbbjewqct.dll

Filesize
10KB

MD5
1ca0579358b764f49d199fd22a0f569f

SHA1
15377138e9a7a06ebeece6782edd3f3aa90ba917

SHA256
5520b6a010887b22921e66e0bc384ce320db3e48ae92e0a7654cb0354d23a57f

SHA512
9e0f71ebafd9b086ca65acaafedbdcc03ac8942d23df6e9d37244c739fbc0b964b33a2c666711cd1bde5cfa0f7778146227d5a89816de5718e381743aa36395e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8C14.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1916-9-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1916-10-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download