Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 09:15

General

  • Target

    6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    6ef86daa845b062f9748082f2ad8dd8f

  • SHA1

    c6a7d6938b4319ec7e758609cb83dac8322d1256

  • SHA256

    3fc80bb964755d2e0b2a741ea460348fdb35058cfcc3f29beaf12cbbc4b5c9c0

  • SHA512

    5b5e466f48097e3fdeb0093d530035935672fd90f7762f47a9d75a1d8d99cb422e14d50d78be4c7979f24404aa577a5d696ef1d52139fea3515c6fdb2ce366cf

  • SSDEEP

    12288:8J+t8jy3K+vmHW9+AUqn0tbkRskNaQ4ppdJN9IJap2:i2K+OmhUqngbkRsSmmJa4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef86daa845b062f9748082f2ad8dd8f_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbhkkaxv.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3344
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:2332
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12
        3⤵
        • Program crash
        PID:4588
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 780
          4⤵
          • Program crash
          PID:4300
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2332 -ip 2332
    1⤵
      PID:4848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 4588
      1⤵
        PID:3444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4300 -ip 4300
        1⤵
          PID:1180

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES4A0.tmp
          Filesize

          1KB

          MD5

          4c8ea655b6115edcde29be7654499de7

          SHA1

          e06caeca86d9676f47d66a6eba8a46dff234ac7a

          SHA256

          11de8bf3db83441c270ce628af689e11c37f9e1980a94aa636863c335f20beaa

          SHA512

          6be43e0b6df3d5f52b2d19e8ee559afc29b0d509b47f3f982456e2760458a942f5b5da98ffedc3e47c658c84a56e747e14c9701c89041be68918eca50db085b6

        • C:\Users\Admin\AppData\Local\Temp\pbhkkaxv.dll
          Filesize

          5KB

          MD5

          4b81f2c911fdc171343a996fd13a6211

          SHA1

          001f1025f35c807652ec79ec228ab7711aac0c62

          SHA256

          05dfd320c43789bf1fa1c57d8d7d5f3da996312eeebead32c2d85dc517836e88

          SHA512

          dbd2bc58e51729c7d8f21c8b71dbdb24b03b0d396ab66671dabcb9b8364942f216f4c67c30b520c1dd1ededd33b7e088e9dc9dc9a3bf14f5837e86a0bed878b1

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          6KB

          MD5

          d89fdbb4172cee2b2f41033e62c677d6

          SHA1

          c1917b579551f0915f1a0a8e8e3c7a6809284e6b

          SHA256

          2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

          SHA512

          48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC49F.tmp
          Filesize

          652B

          MD5

          25855d95497b13060517d01f6b789d7a

          SHA1

          a7d747e2c701ec647fcfb3d12ab9472a57e67a09

          SHA256

          eba99364fa4ef5911cb5485eee02f2ea18f592d610f877ea7fbaf193f3ad2ff8

          SHA512

          16b9065165eb10da146bb7fd0f09146ed89708638e2d72ba8ebb7bd714b3fa7e9f26e9f02aa235bc54fd0760a362b433179f795ba03212aa7f1e1981a0bd34a9

        • \??\c:\Users\Admin\AppData\Local\Temp\pbhkkaxv.0.cs
          Filesize

          5KB

          MD5

          cb25540570735d26bf391e8b54579396

          SHA1

          135651d49409214d21348bb879f7973384a7a8cb

          SHA256

          922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

          SHA512

          553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

        • \??\c:\Users\Admin\AppData\Local\Temp\pbhkkaxv.cmdline
          Filesize

          206B

          MD5

          ce9b4ccadf2243989f43f93420bd4488

          SHA1

          c5d44af6ea86001f0d9ce641b6f1b9b55c6e7b88

          SHA256

          a0be415ef933c9028e0b3eb3ba88a88d2753d08d9004b4b0b7edd5b283afe1bc

          SHA512

          d1f654fffff06d636866d6dc7ed1060ec8b9a39f374728c8f5522ea6f0683c8bd4c08693287ba699a12bff6fadbb25adfe85232d3e4418976f091b1445665db0

        • memory/2172-10-0x0000000074910000-0x0000000074EC1000-memory.dmp
          Filesize

          5.7MB

        • memory/2172-15-0x0000000074910000-0x0000000074EC1000-memory.dmp
          Filesize

          5.7MB

        • memory/4740-0-0x0000000074912000-0x0000000074913000-memory.dmp
          Filesize

          4KB

        • memory/4740-1-0x0000000074910000-0x0000000074EC1000-memory.dmp
          Filesize

          5.7MB

        • memory/4740-2-0x0000000074910000-0x0000000074EC1000-memory.dmp
          Filesize

          5.7MB

        • memory/4740-23-0x0000000074910000-0x0000000074EC1000-memory.dmp
          Filesize

          5.7MB