2db62cc6d300d7b4ab03a70d6e6724054058acbbf6ee6047c32c4f7deb0900cf

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe
Size

56KB
MD5

75a703059053efb81220594bd9bf4c8e
SHA1

9289328e7513171b40ad51101e0091c79cacc9df
SHA256

2db62cc6d300d7b4ab03a70d6e6724054058acbbf6ee6047c32c4f7deb0900cf
SHA512

7cc7c25cd7d74ddc4b1ca180050fe3fa98f48e7a5e08ffa3d85b56e8c19cd83ed5a595560787fdae30fe6faf5e81d0f7185696d2357691887630e6caae537598
SSDEEP

768:JupZtHFTf1DBfP1IDZQxEmPu/pBl980O3XBKw+EUO5uy5R7:op7Hdf1DFdIDZyRQQJnBLX9v

Score

7^/10

discovery vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	You Server.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe
2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000040B000-memory.dmp	vmprotect
behavioral1/memory/2028-15-0x0000000000400000-0x000000000040B000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	2480	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	You Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2480	2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe	29
PID 2028 wrote to memory of 2480	2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe	29
PID 2028 wrote to memory of 2480	2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe	29
PID 2028 wrote to memory of 2480	2028	75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe	29
PID 2480 wrote to memory of 2208	2480	You Server.exe	30
PID 2480 wrote to memory of 2208	2480	You Server.exe	30
PID 2480 wrote to memory of 2208	2480	You Server.exe	30
PID 2480 wrote to memory of 2208	2480	You Server.exe	30

C:\Users\Admin\AppData\Local\Temp\75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75a703059053efb81220594bd9bf4c8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\You Server.exe
  "C:\Users\Admin\AppData\Local\Temp\You Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\You Server.exe

Filesize
35KB

MD5
5a3d9c900d07185fc9f5940d3d80d776

SHA1
3d0fa5a083170ffdbd81d8e340d809b789ee091b

SHA256
8f2d07c4fba8d9ebb84dd5d01a22c3a211558854f9265847d933ee7714c114d2

SHA512
c9286442d0e33a062f2ef21ad36aef4887cbfc2917ec044e6dd92fb1800d8050b80ce6fe20e1447715de15ab34212602da629d64dce587864cb2be271ca30c6d

Download Submit
memory/2028-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2028-10-0x00000000004D0000-0x00000000004D4000-memory.dmp

Filesize
16KB

Download
memory/2028-12-0x00000000004D0000-0x00000000004D4000-memory.dmp

Filesize
16KB

Download
memory/2028-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2480-14-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download