f31210786cbabbdea7382aeab2b4b52083c0f089b42bc9afd646c262eef68236

Analysis

max time kernel
137s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62902db8994a5807c218009e89450b03_JaffaCakes118.exe
Size

216KB
MD5

62902db8994a5807c218009e89450b03
SHA1

4671392157e62707ca6eb8b1af3091be68669465
SHA256

f31210786cbabbdea7382aeab2b4b52083c0f089b42bc9afd646c262eef68236
SHA512

4c5ef75020e15e28c7ae076ad7061ff0a231fcb50e2a38264ac6e4910c732b475cd79cfe2a7cb185acfb325adffdd4f446f2ec7ab153d4f6bc7d3c98bf8e84af
SSDEEP

3072:TMpb5LjxcYtMgUeVKFlqOngFIzNKPMWhSA+FudyiJEDyJ:T2b5LY7IilqlCsK7FuDEmJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	62902db8994a5807c218009e89450b03_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	regsvr32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\win32_77c.dll	62902db8994a5807c218009e89450b03_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3276	1604	WerFault.exe	83
3260	1728	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1728	1604	62902db8994a5807c218009e89450b03_JaffaCakes118.exe	84
PID 1604 wrote to memory of 1728	1604	62902db8994a5807c218009e89450b03_JaffaCakes118.exe	84
PID 1604 wrote to memory of 1728	1604	62902db8994a5807c218009e89450b03_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\62902db8994a5807c218009e89450b03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62902db8994a5807c218009e89450b03_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" C:\Windows\win32_77c.dll /s
  2⤵
  - Loads dropped DLL
  PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 616
    3⤵
    - Program crash
    PID:3260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 872
  2⤵
  - Program crash
  PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1604 -ip 1604
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1728 -ip 1728
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win32_77c.dll

Filesize
159KB

MD5
a262799a06011e2e2e049bba43a3f3c1

SHA1
eecd4286f2cf9bc48f3e2fa6bca15eb0a21b65d5

SHA256
6b1c217f7a5220a5e2fd1d1a1a403c46a30dbe6d5c7b3ce5a8b14a1b9d91f1ce

SHA512
aa891c43e9b8129a5e3886dd1f1379ff8b15bae8c5cdcb04657be3a2039e06bde72abe5b809f192c9242e1208fd1a66c68c2925b1f4e87eb258106fc65f8ec84

Download Submit