fc3a963a49c13fb0daf588e8aef940e61c174c8db653020dc1279d6e39960165

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
Size

388KB
MD5

71e8a3671c61dc40bb52627ad985e6e1
SHA1

72f9165d65a52acd3cab5a66ea2ebfd16e3e89bd
SHA256

fc3a963a49c13fb0daf588e8aef940e61c174c8db653020dc1279d6e39960165
SHA512

acfd18f488e5c7e7ed728641873985780661a6c9b005935da33ebfee2e3004cd22cd467a3f03b97e4ee35024dc9f37661e3f3a72491e089056daeed967df733d
SSDEEP

6144:W5d8V2rj/aJSvpRwC1eMof9JG/mI/TAmRPKJW/TiLNj:W5/r7eSRRQ9imI/TAmRPHO

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2336	mC01836MaBfI01836.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	mC01836MaBfI01836.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1096-6-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/1096-14-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2336-21-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2336-24-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2336-31-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mC01836MaBfI01836 = "C:\\ProgramData\\mC01836MaBfI01836\\mC01836MaBfI01836.exe"	mC01836MaBfI01836.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3924	1096	WerFault.exe	82
4320	2336	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mC01836MaBfI01836.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2336	mC01836MaBfI01836.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2336	mC01836MaBfI01836.exe
2336	mC01836MaBfI01836.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2336	1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe	90
PID 1096 wrote to memory of 2336	1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe	90
PID 1096 wrote to memory of 2336	1096	71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 688
  2⤵
  - Program crash
  PID:3924
- C:\ProgramData\mC01836MaBfI01836\mC01836MaBfI01836.exe
  "C:\ProgramData\mC01836MaBfI01836\mC01836MaBfI01836.exe" "C:\Users\Admin\AppData\Local\Temp\71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 668
    3⤵
    - Program crash
    PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2336 -ip 2336
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mC01836MaBfI01836\mC01836MaBfI01836

Filesize
192B

MD5
eafdd2af066554eb28e3494a201c06fd

SHA1
1910c84156c98118420c3ed40012c4f0cf97a279

SHA256
2577ef4d130d286fa9534548a3288384ff68a2b872611c58fdcb28dcb777f5c0

SHA512
c1ebab7b3c52eccb97f0fef0b5d67f0ce5289c793daa76cc3a861c39d1acc92e9ca8bfa2d5b63753d34ed503a00800602b35029b9a0f87d5ab78ec1eec2c12d6

Download Submit
C:\ProgramData\mC01836MaBfI01836\mC01836MaBfI01836.exe

Filesize
388KB

MD5
000070f6849544c3414b3fd8a85789ff

SHA1
ffec6bc552f5f66f6698edbb69e7d07a9e280ced

SHA256
430a82185681d0538e1aa4f106e0556b387a47ed4ebe58641ebc3680ecb7753e

SHA512
cda18f77a9aa852293adf6b2490899b447a04355e7ffe533c8dc42bfbda1ae551b14724a330554c606dc115917a37b9b0c34cb26084656baccc1702280c2cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\71e8a3671c61dc40bb52627ad985e6e1_JaffaCakes118

Filesize
192B

MD5
bebf7e9f59bb0da118ba920f3afedc27

SHA1
6591a34c00b954ceb9406253350c1909daf95772

SHA256
a9c9c967e42b8dfbc770f8954dc77b440652ea244ed652d1ea9b951122a74ae6

SHA512
bff04311fa241d3ada18101a3d7be163f2d4c20adcf14ab421e0208b5782d874767d1c6c9fb04985995f3d3a4b2f0d3206c5c3094e0145788ef97f34d3fdf55b

Download Submit
memory/1096-0-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/1096-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1096-14-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2336-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2336-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2336-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2336-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download