420c29fb740d2dd36151487bffc032f18c9477e31ebb43dffe8767752f690015

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe
Size

317KB
MD5

65391f818b128e1fb50dcbedb6547d0a
SHA1

50b0cd1281fcd76b073c04c14a3d07f50f837d40
SHA256

420c29fb740d2dd36151487bffc032f18c9477e31ebb43dffe8767752f690015
SHA512

15e20ebbce825282f014ba99eda77735907ad5ed6d7c9f22f6e17cc2f2abc7467d5bccab56cdacad28d1c7f8170e3f61a21c7d6bd593e2175a44d654da6fd214
SSDEEP

6144:io2TqeC/4nXA13lwjbjHMGcnr6hDLCF1bzzFD5BrOSMInBOwUsD1N:ibbnX5Hrlcnr6hDLstzzYSMaBOwUsRN

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4496	fKpEiBe01828.exe

Executes dropped EXE 1 IoCs

pid	Process
4496	fKpEiBe01828.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1272-4-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1272-2-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1272-5-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1272-6-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4496-21-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4496-20-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4496-19-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1272-24-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4496-25-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4496-37-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1272-44-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fKpEiBe01828 = "C:\\ProgramData\\fKpEiBe01828\\fKpEiBe01828.exe"	fKpEiBe01828.exe

Program crash 26 IoCs

pid	pid_target	Process	procid_target
2884	1272	WerFault.exe	83
1644	4496	WerFault.exe	87
1276	1272	WerFault.exe	83
3000	4496	WerFault.exe	87
2168	1272	WerFault.exe	83
4712	4496	WerFault.exe	87
5112	1272	WerFault.exe	83
1008	4496	WerFault.exe	87
2416	1272	WerFault.exe	83
4288	4496	WerFault.exe	87
964	1272	WerFault.exe	83
1496	4496	WerFault.exe	87
5068	1272	WerFault.exe	83
2524	4496	WerFault.exe	87
2216	4496	WerFault.exe	87
4928	4496	WerFault.exe	87
3968	4496	WerFault.exe	87
5032	4496	WerFault.exe	87
1008	4496	WerFault.exe	87
5016	4496	WerFault.exe	87
944	4496	WerFault.exe	87
2512	4496	WerFault.exe	87
3492	1272	WerFault.exe	83
2804	1272	WerFault.exe	83
952	4496	WerFault.exe	87
4308	4496	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe
Token: SeDebugPrivilege	4496	fKpEiBe01828.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4496	fKpEiBe01828.exe
4496	fKpEiBe01828.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4496	fKpEiBe01828.exe
4496	fKpEiBe01828.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4496	fKpEiBe01828.exe
4496	fKpEiBe01828.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4496	1272	65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe	87
PID 1272 wrote to memory of 4496	1272	65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe	87
PID 1272 wrote to memory of 4496	1272	65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\ProgramData\fKpEiBe01828\fKpEiBe01828.exe
  "C:\ProgramData\fKpEiBe01828\fKpEiBe01828.exe" "C:\Users\Admin\AppData\Local\Temp\65391f818b128e1fb50dcbedb6547d0a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 760
    3⤵
    - Program crash
    PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 768
    3⤵
    - Program crash
    PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 812
    3⤵
    - Program crash
    PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 820
    3⤵
    - Program crash
    PID:1008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 972
    3⤵
    - Program crash
    PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 996
    3⤵
    - Program crash
    PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1172
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 992
    3⤵
    - Program crash
    PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1408
    3⤵
    - Program crash
    PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1620
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 928
    3⤵
    - Program crash
    PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 636
    3⤵
    - Program crash
    PID:1008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1652
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1808
    3⤵
    - Program crash
    PID:944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1816
    3⤵
    - Program crash
    PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 996
    3⤵
    - Program crash
    PID:952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 784
    3⤵
    - Program crash
    PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 616
  2⤵
  - Program crash
  PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 788
  2⤵
  - Program crash
  PID:1276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 796
  2⤵
  - Program crash
  PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 836
  2⤵
  - Program crash
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 844
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1004
  2⤵
  - Program crash
  PID:964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1040
  2⤵
  - Program crash
  PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 640
  2⤵
  - Program crash
  PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 140
  2⤵
  - Program crash
  PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1272 -ip 1272
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4496 -ip 4496
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1272 -ip 1272
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4496 -ip 4496
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1272 -ip 1272
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4496 -ip 4496
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1272 -ip 1272
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4496 -ip 4496
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1272 -ip 1272
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4496 -ip 4496
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1272 -ip 1272
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4496 -ip 4496
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1272 -ip 1272
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4496 -ip 4496
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4496 -ip 4496
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4496 -ip 4496
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4496 -ip 4496
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4496 -ip 4496
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4496 -ip 4496
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4496 -ip 4496
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4496 -ip 4496
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1272 -ip 1272
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 1272 -ip 1272
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 4496 -ip 4496
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4496 -ip 4496
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fKpEiBe01828\fKpEiBe01828.exe

Filesize
317KB

MD5
1d22133c282917a87f96bd0cad13fdf5

SHA1
13b05ee5eecc740d83a192f4569a679ed71fd2b2

SHA256
aae7d40d50a81034b0a8e24b37c58675970f7133be3dce2084be800c70fce4a5

SHA512
0eb3641770da84e828950bde0cb2b2cc20ee2f9da55051c916adf3eebfeff209e78e46cd247ce235a33d7079dd10d4855364c986b007c52a9c88121d0832b51d

Download Submit
memory/1272-24-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-1-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-4-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-2-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-5-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-44-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1272-0-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/1272-26-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/4496-21-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4496-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4496-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4496-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4496-37-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4496-15-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads