0002c23f50fe24bb8154dca21c98dbcff63814f3e836113ee696386cb517b3b5

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
Size

202KB
MD5

5b7d87fdfe031d630af9694b6eb54ad4
SHA1

a594443b3abd6e6b612f3803f9dfa365fb1c1cd5
SHA256

0002c23f50fe24bb8154dca21c98dbcff63814f3e836113ee696386cb517b3b5
SHA512

c841815147f8b6c8cc4a9b5eadf20f60bb25b022c7bec1bfda04767826d38b327b3ea6763b3b1bd4d602b50e0518780d4d26e7f7edfca7faef15b2c3925b9da5
SSDEEP

3072:XJCTWpqbDKCdJkVTIbsqF+yzexOnpR3K50csZLR+88++8oHxzbqLfilUB74XnqrJ:X90DKGzF+KeOpMIRk+LExzWvB74aH9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2808	wingtp.exe
2636	wingtp.exe
1136	wingtp.exe
484	wingtp.exe
2984	wingtp.exe
1756	wingtp.exe
1968	wingtp.exe
1092	wingtp.exe

Loads dropped DLL 16 IoCs

pid	Process
2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
2808	wingtp.exe
2808	wingtp.exe
2636	wingtp.exe
2636	wingtp.exe
1136	wingtp.exe
1136	wingtp.exe
484	wingtp.exe
484	wingtp.exe
2984	wingtp.exe
2984	wingtp.exe
1756	wingtp.exe
1756	wingtp.exe
1968	wingtp.exe
1968	wingtp.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wingtp.exe	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File opened for modification	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe
File created	C:\Windows\SysWOW64\wingtp.exe	wingtp.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
2808	wingtp.exe
2808	wingtp.exe
2808	wingtp.exe
2636	wingtp.exe
2636	wingtp.exe
2636	wingtp.exe
1136	wingtp.exe
1136	wingtp.exe
1136	wingtp.exe
484	wingtp.exe
484	wingtp.exe
484	wingtp.exe
2984	wingtp.exe
2984	wingtp.exe
2984	wingtp.exe
1756	wingtp.exe
1756	wingtp.exe
1756	wingtp.exe
1968	wingtp.exe
1968	wingtp.exe
1968	wingtp.exe
1092	wingtp.exe
1092	wingtp.exe
1092	wingtp.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2808	2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2808	2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2808	2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2808	2864	5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2636	2808	wingtp.exe	32
PID 2808 wrote to memory of 2636	2808	wingtp.exe	32
PID 2808 wrote to memory of 2636	2808	wingtp.exe	32
PID 2808 wrote to memory of 2636	2808	wingtp.exe	32
PID 2636 wrote to memory of 1136	2636	wingtp.exe	33
PID 2636 wrote to memory of 1136	2636	wingtp.exe	33
PID 2636 wrote to memory of 1136	2636	wingtp.exe	33
PID 2636 wrote to memory of 1136	2636	wingtp.exe	33
PID 1136 wrote to memory of 484	1136	wingtp.exe	34
PID 1136 wrote to memory of 484	1136	wingtp.exe	34
PID 1136 wrote to memory of 484	1136	wingtp.exe	34
PID 1136 wrote to memory of 484	1136	wingtp.exe	34
PID 484 wrote to memory of 2984	484	wingtp.exe	35
PID 484 wrote to memory of 2984	484	wingtp.exe	35
PID 484 wrote to memory of 2984	484	wingtp.exe	35
PID 484 wrote to memory of 2984	484	wingtp.exe	35
PID 2984 wrote to memory of 1756	2984	wingtp.exe	36
PID 2984 wrote to memory of 1756	2984	wingtp.exe	36
PID 2984 wrote to memory of 1756	2984	wingtp.exe	36
PID 2984 wrote to memory of 1756	2984	wingtp.exe	36
PID 1756 wrote to memory of 1968	1756	wingtp.exe	37
PID 1756 wrote to memory of 1968	1756	wingtp.exe	37
PID 1756 wrote to memory of 1968	1756	wingtp.exe	37
PID 1756 wrote to memory of 1968	1756	wingtp.exe	37
PID 1968 wrote to memory of 1092	1968	wingtp.exe	38
PID 1968 wrote to memory of 1092	1968	wingtp.exe	38
PID 1968 wrote to memory of 1092	1968	wingtp.exe	38
PID 1968 wrote to memory of 1092	1968	wingtp.exe	38

C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\wingtp.exe
  C:\Windows\system32\wingtp.exe 560 "C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\wingtp.exe
    C:\Windows\system32\wingtp.exe 612 "C:\Windows\SysWOW64\wingtp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\wingtp.exe
      C:\Windows\system32\wingtp.exe 604 "C:\Windows\SysWOW64\wingtp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\wingtp.exe
        
        C:\Windows\system32\wingtp.exe 620 "C:\Windows\SysWOW64\wingtp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\SysWOW64\wingtp.exe
        
        C:\Windows\system32\wingtp.exe 616 "C:\Windows\SysWOW64\wingtp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\wingtp.exe
        
        C:\Windows\system32\wingtp.exe 628 "C:\Windows\SysWOW64\wingtp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\wingtp.exe
        
        C:\Windows\system32\wingtp.exe 608 "C:\Windows\SysWOW64\wingtp.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\wingtp.exe
        
        C:\Windows\system32\wingtp.exe 636 "C:\Windows\SysWOW64\wingtp.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wingtp.exe

Filesize
202KB

MD5
5b7d87fdfe031d630af9694b6eb54ad4

SHA1
a594443b3abd6e6b612f3803f9dfa365fb1c1cd5

SHA256
0002c23f50fe24bb8154dca21c98dbcff63814f3e836113ee696386cb517b3b5

SHA512
c841815147f8b6c8cc4a9b5eadf20f60bb25b022c7bec1bfda04767826d38b327b3ea6763b3b1bd4d602b50e0518780d4d26e7f7edfca7faef15b2c3925b9da5

Download Submit
memory/484-45-0x0000000002C90000-0x0000000002D2C000-memory.dmp

Filesize
624KB

Download
memory/484-47-0x0000000002C90000-0x0000000002D2C000-memory.dmp

Filesize
624KB

Download
memory/484-40-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/484-41-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1092-69-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1136-39-0x00000000031B0000-0x000000000324C000-memory.dmp

Filesize
624KB

Download
memory/1136-33-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1136-32-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1136-38-0x00000000031B0000-0x000000000324C000-memory.dmp

Filesize
624KB

Download
memory/1756-55-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1756-56-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1756-60-0x0000000002F90000-0x000000000302C000-memory.dmp

Filesize
624KB

Download
memory/1968-61-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1968-63-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/1968-68-0x0000000003060000-0x00000000030FC000-memory.dmp

Filesize
624KB

Download
memory/2636-30-0x0000000002F50000-0x0000000002FEC000-memory.dmp

Filesize
624KB

Download
memory/2636-29-0x0000000002F50000-0x0000000002FEC000-memory.dmp

Filesize
624KB

Download
memory/2636-25-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2636-24-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2808-22-0x00000000030F0000-0x000000000318C000-memory.dmp

Filesize
624KB

Download
memory/2808-21-0x00000000030F0000-0x000000000318C000-memory.dmp

Filesize
624KB

Download
memory/2808-16-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2864-0-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2864-14-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2864-10-0x0000000003290000-0x000000000332C000-memory.dmp

Filesize
624KB

Download
memory/2864-11-0x0000000003290000-0x000000000332C000-memory.dmp

Filesize
624KB

Download
memory/2984-49-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download
memory/2984-53-0x0000000002F60000-0x0000000002FFC000-memory.dmp

Filesize
624KB

Download
memory/2984-48-0x0000000000400000-0x000000000049B200-memory.dmp

Filesize
620KB

Download