68d79b1a2a6b6e3bd09918b0254bc0e3d6e9b0eb10d500ba578d564368c4cb36

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
Size

3.2MB
MD5

69bb96ddc8f289d60c0e8d42a18aab32
SHA1

fe18c035c76fa49bf4f18b6aa93616087264215f
SHA256

68d79b1a2a6b6e3bd09918b0254bc0e3d6e9b0eb10d500ba578d564368c4cb36
SHA512

b6888d35bc6f78116ab9825cc7951f1ee276acdda7cf1e0ae83a088075e1bea7dee907a8357cc603e3dee7027ecb7a650a5db62bb617adf250ecf9ae9383b401
SSDEEP

98304:EQppZVYBcakctG6wts6b03cakcTzqjcakctG6wts6b03cakcO:tMdlBwttbSdlTWdlBwttbSdlO

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1580-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0009000000023412-12.dat	upx
behavioral2/memory/1920-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com

Program crash 20 IoCs

pid	pid_target	Process	procid_target
2848	1920	WerFault.exe	85
2036	1920	WerFault.exe	85
4252	1920	WerFault.exe	85
396	1920	WerFault.exe	85
5000	1920	WerFault.exe	85
3488	1920	WerFault.exe	85
4320	1920	WerFault.exe	85
4844	1920	WerFault.exe	85
4376	1920	WerFault.exe	85
4712	1920	WerFault.exe	85
3924	1920	WerFault.exe	85
4448	1920	WerFault.exe	85
1736	1920	WerFault.exe	85
4304	1920	WerFault.exe	85
2936	1920	WerFault.exe	85
4340	1920	WerFault.exe	85
1688	1920	WerFault.exe	85
1980	1920	WerFault.exe	85
5072	1920	WerFault.exe	85
2284	1920	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1580	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1580	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1920	1580	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	85
PID 1580 wrote to memory of 1920	1580	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	85
PID 1580 wrote to memory of 1920	1580	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	85
PID 1920 wrote to memory of 2700	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	86
PID 1920 wrote to memory of 2700	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	86
PID 1920 wrote to memory of 2700	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	86
PID 1920 wrote to memory of 3552	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	88
PID 1920 wrote to memory of 3552	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	88
PID 1920 wrote to memory of 3552	1920	69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe	88
PID 3552 wrote to memory of 1272	3552	cmd.exe	90
PID 3552 wrote to memory of 1272	3552	cmd.exe	90
PID 3552 wrote to memory of 1272	3552	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe" /TN CPAkKnXcaaad /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN CPAkKnXcaaad > C:\Users\Admin\AppData\Local\Temp\TTPn06N.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN CPAkKnXcaaad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 600
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 632
    3⤵
    - Program crash
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 716
    3⤵
    - Program crash
    PID:4252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 724
    3⤵
    - Program crash
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 636
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 780
    3⤵
    - Program crash
    PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1476
    3⤵
    - Program crash
    PID:4320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1536
    3⤵
    - Program crash
    PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1748
    3⤵
    - Program crash
    PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1708
    3⤵
    - Program crash
    PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1464
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1772
    3⤵
    - Program crash
    PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1544
    3⤵
    - Program crash
    PID:1736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1576
    3⤵
    - Program crash
    PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1600
    3⤵
    - Program crash
    PID:2936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1512
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1836
    3⤵
    - Program crash
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1844
    3⤵
    - Program crash
    PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1604
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 628
    3⤵
    - Program crash
    PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 1920
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1920 -ip 1920
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1920 -ip 1920
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1920 -ip 1920
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1920 -ip 1920
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1920 -ip 1920
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1920 -ip 1920
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 1920
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1920 -ip 1920
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 1920
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 1920
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1920 -ip 1920
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1920 -ip 1920
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1920 -ip 1920
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1920 -ip 1920
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1920 -ip 1920
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1920 -ip 1920
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1920 -ip 1920
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1920 -ip 1920
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1920 -ip 1920
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe

Filesize
3.2MB

MD5
a63ae68b02b28aa4ea6fdf47ecf5d178

SHA1
0733615e296e867bc56cd34a6c419a375f919e48

SHA256
21ed67798212ae1c39703eb21dc8c6e785afcf3ed9606ff6b63572cc3c7644dd

SHA512
62cc18c855c627394e0a96d86ffc740e3e282a235e4e9dabda71d2b45a96ca778fecd2a90c5aea1b780e72bb35f4b12ebcb64b05bbeadcabb63aacb588962117

Download Submit
C:\Users\Admin\AppData\Local\Temp\TTPn06N.xml

Filesize
1KB

MD5
1a438230badf6a67664ba70b870ac77c

SHA1
28486c74b51f5af70c921f0cd9e133f46839072e

SHA256
e096eeadb865ac8fa0ef02713b37127c55124c06a472a69b3a0158e18284db7a

SHA512
51c7d25a700327da4ddb94f71f6618180a78493ff42c4da54f75ad483817cad1bb17f34828f97305bea56be895f03f2152a7edd4fddf60c6e10adb6c557e2f35

Download Submit
memory/1580-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1580-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1580-7-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/1580-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1920-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1920-21-0x0000000025010000-0x000000002508E000-memory.dmp

Filesize
504KB

Download
memory/1920-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1920-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1920-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads