Analysis

  • max time kernel
    32s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 01:42

General

  • Target

    05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

  • Size

    229KB

  • MD5

    05276fec4d22dcdf33b18ca59fcbcc2b

  • SHA1

    81f09ddd31ca6d3bff7eeec1d67f55e407e1a9b5

  • SHA256

    077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808

  • SHA512

    eda72239d3563d5bce76d0fe99f99c29ce63b1cd2e9b9d1774095bea2a3ea3d5bd1996eb825ac08ede68aa2b96f8c8d02980a61c1e1bb95e4dacdfcf3ba05e3c

  • SSDEEP

    3072:U6jI9XJy7rww9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTTTTTTZ:XUZy0qzn76ppggmhOF0HFZlxU

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3300
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe! !
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
        3⤵
        • Executes dropped EXE
        PID:3480
      • C:\WINDOWS\MSWDM.EXE
        -e!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE!
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

    Filesize

    229KB

    MD5

    b90af47d4837e453736496040934457b

    SHA1

    d9277bfaba433b14eb7383259bdd0789430c069a

    SHA256

    a0396d0287961c9220777ca2a82b484316f3defb9b385d47d44bf1eb72d2db05

    SHA512

    acfe4de56feb4de8631d2c44341d83f478b34f3785e5ca66d61f68efe65ffabad7b693f484e82fc3eea78d4aa6349e88578c03e13c766d72f0219aef46518bfb

  • C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

    Filesize

    229KB

    MD5

    efc9d61b9c947685d075197bc9727d52

    SHA1

    062ee3711784e7675fc2ff7bd9181ea9219fd6a2

    SHA256

    af8768d3f21f204622ba9b9f077c81dd92ee0ece88087c8091a8cc827bbe28b6

    SHA512

    5ad8ba37a046273023017a18636cf9e4dee16c486a753464684da123e46d78d9a1e81ed915f38e51d85ff8e717ea344713d20cf20b7f5cb817e4e19509e10c35

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    48KB

    MD5

    2cc0c2ba0c6d47e75f86d4257b97bfee

    SHA1

    3c6682ce02e8d27cae1660331b6aef93e2d1ffba

    SHA256

    8be865e79fa8a2025e0b8456fae9a4a9fc49fd17b0c6055787a1a8f2bc89bf78

    SHA512

    856d51b39e7f47701f886bb9e2b56ef3c0368d0b5e46bfd32b1fe08342d2f2e7941ae946ea8f40ff4a9b77ff438b092328a609cae9ebe61595fb55bbfc6914b0

  • C:\Windows\devA7C9.tmp

    Filesize

    181KB

    MD5

    e9c2bc594e99b189442e1ba1354dc24b

    SHA1

    03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

    SHA256

    0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

    SHA512

    4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

  • memory/2112-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2112-8-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2388-20-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2924-24-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2924-11-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3300-10-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3300-25-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB