c80f3cd8218d86f5a38c687c3a00b9a229666276abb319bd5557bf8ffe3b923f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
Size

15KB
MD5

4db4c03f21b2b527672f92a67a4c3cf7
SHA1

412742a333603e242774ca2603c2a11cb1ec5e29
SHA256

c80f3cd8218d86f5a38c687c3a00b9a229666276abb319bd5557bf8ffe3b923f
SHA512

d248f46eea38d84791f6906371b4fc085e8b9adde80615acd2bdc3aeed08c1a300747a0e89c0c2fc4bd2d1a85ab450cdce4ea48abef2fbad0d50488cb1640dcb
SSDEEP

384:UaT42VbMgnbJDJefeprG17ydqYk4hhN/u5Z+Y:DFVw6NVNprG17OqUhvFY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
2676	svchost.exe
4024	explorer.exe
2020	explorer.exe
2060	explorer.exe
4372	explorer.exe
2700	explorer.exe
2200	explorer.exe
4592	explorer.exe
1948	explorer.exe
2164	explorer.exe
2404	explorer.exe
1532	explorer.exe
2484	explorer.exe
668	explorer.exe
4624	explorer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\svchost.exe	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1532	4024	WerFault.exe	87
4784	2020	WerFault.exe	92
4848	2060	WerFault.exe	98
1840	4372	WerFault.exe	103
2148	2700	WerFault.exe	107
680	2200	WerFault.exe	111
1012	4592	WerFault.exe	115
2172	1948	WerFault.exe	119
4996	2164	WerFault.exe	123
4732	2404	WerFault.exe	127
3480	1532	WerFault.exe	131
4204	2484	WerFault.exe	135
2612	668	WerFault.exe	139
4688	4624	WerFault.exe	143

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
408	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
408	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
2676	svchost.exe
2676	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 2676	408	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	86
PID 408 wrote to memory of 2676	408	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	86
PID 408 wrote to memory of 2676	408	4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe	86
PID 2676 wrote to memory of 4024	2676	svchost.exe	87
PID 2676 wrote to memory of 4024	2676	svchost.exe	87
PID 2676 wrote to memory of 4024	2676	svchost.exe	87
PID 2676 wrote to memory of 2020	2676	svchost.exe	92
PID 2676 wrote to memory of 2020	2676	svchost.exe	92
PID 2676 wrote to memory of 2020	2676	svchost.exe	92
PID 2676 wrote to memory of 2060	2676	svchost.exe	98
PID 2676 wrote to memory of 2060	2676	svchost.exe	98
PID 2676 wrote to memory of 2060	2676	svchost.exe	98
PID 2676 wrote to memory of 4372	2676	svchost.exe	103
PID 2676 wrote to memory of 4372	2676	svchost.exe	103
PID 2676 wrote to memory of 4372	2676	svchost.exe	103
PID 2676 wrote to memory of 2700	2676	svchost.exe	107
PID 2676 wrote to memory of 2700	2676	svchost.exe	107
PID 2676 wrote to memory of 2700	2676	svchost.exe	107
PID 2676 wrote to memory of 2200	2676	svchost.exe	111
PID 2676 wrote to memory of 2200	2676	svchost.exe	111
PID 2676 wrote to memory of 2200	2676	svchost.exe	111
PID 2676 wrote to memory of 4592	2676	svchost.exe	115
PID 2676 wrote to memory of 4592	2676	svchost.exe	115
PID 2676 wrote to memory of 4592	2676	svchost.exe	115
PID 2676 wrote to memory of 1948	2676	svchost.exe	119
PID 2676 wrote to memory of 1948	2676	svchost.exe	119
PID 2676 wrote to memory of 1948	2676	svchost.exe	119
PID 2676 wrote to memory of 2164	2676	svchost.exe	123
PID 2676 wrote to memory of 2164	2676	svchost.exe	123
PID 2676 wrote to memory of 2164	2676	svchost.exe	123
PID 2676 wrote to memory of 2404	2676	svchost.exe	127
PID 2676 wrote to memory of 2404	2676	svchost.exe	127
PID 2676 wrote to memory of 2404	2676	svchost.exe	127
PID 2676 wrote to memory of 1532	2676	svchost.exe	131
PID 2676 wrote to memory of 1532	2676	svchost.exe	131
PID 2676 wrote to memory of 1532	2676	svchost.exe	131
PID 2676 wrote to memory of 2484	2676	svchost.exe	135
PID 2676 wrote to memory of 2484	2676	svchost.exe	135
PID 2676 wrote to memory of 2484	2676	svchost.exe	135
PID 2676 wrote to memory of 668	2676	svchost.exe	139
PID 2676 wrote to memory of 668	2676	svchost.exe	139
PID 2676 wrote to memory of 668	2676	svchost.exe	139
PID 2676 wrote to memory of 4624	2676	svchost.exe	143
PID 2676 wrote to memory of 4624	2676	svchost.exe	143
PID 2676 wrote to memory of 4624	2676	svchost.exe	143

C:\Users\Admin\AppData\Local\Temp\4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4db4c03f21b2b527672f92a67a4c3cf7_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\Fonts\svchost.exe
  C:\Windows\Fonts\svchost.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.1 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:4024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 284
      4⤵
      Program crash
      PID:1532
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.2 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 248
      4⤵
      Program crash
      PID:4784
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.3 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 248
      4⤵
      Program crash
      PID:4848
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.4 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 248
      4⤵
      Program crash
      PID:1840
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.5 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 248
      4⤵
      Program crash
      PID:2148
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.6 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 248
      4⤵
      Program crash
      PID:680
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.7 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 248
      4⤵
      Program crash
      PID:1012
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.8 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:1948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 248
      4⤵
      Program crash
      PID:2172
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.9 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 248
      4⤵
      Program crash
      PID:4996
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.10 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 248
      4⤵
      Program crash
      PID:4732
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.11 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:1532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 248
      4⤵
      Program crash
      PID:3480
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.12 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:2484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 248
      4⤵
      Program crash
      PID:4204
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.13 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 252
      4⤵
      Program crash
      PID:2612
- - C:\Windows\Downloaded Program Files\explorer.exe
    "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.1.14 http://x.wuc7.com/ww.exe
    3⤵
    - Executes dropped EXE
    PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 248
      4⤵
      Program crash
      PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2020 -ip 2020
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2060 -ip 2060
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4372 -ip 4372
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2700 -ip 2700
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2200 -ip 2200
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4592 -ip 4592
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1948 -ip 1948
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2164 -ip 2164
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2404 -ip 2404
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1532 -ip 1532
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2484 -ip 2484
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 668 -ip 668
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4624 -ip 4624
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Downloaded Program Files\explorer.exe

Filesize
3KB

MD5
d2c3349a566a814a3d793f82ad7d8a65

SHA1
66f23c6633b21702b3ea3a936358907ca35a593e

SHA256
c4bab8beb591701e6fc5b33dea445e05a02703432d88ca90d47e2c5a46e68e23

SHA512
98a8621d2c23853299f1210f626a14500b746995582d34ef362e87b7d5ae172a4ef40356b9a61ff6e1deed53c2f76d79d8c6563ecce161bde2c58bbc66d2b1ef

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
13KB

MD5
a1366d2df55732452d78943b7194721c

SHA1
d983728526397bc9f65d2e380eb9a672d5dcca0a

SHA256
1d73be55f889480692a00ba7d49ea26ba68243fe6f94f7c5f1dbd51027239a66

SHA512
bb53e994587819f3f224fd0fb200f271079751fee46f5032083d8ae54f8aa5e825e5e5483c3d705a76b4f92ed9b20ed85641db6d4a49d9121e69058c65d9f744

Download Submit