4144804a61e31832b6d06340697e7c55bef1abdd0449d292ac37b06bedc50ead

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe
Size

87KB
MD5

87c76f0267ba4d8792e56c20ff94e29e
SHA1

f31cdb05a12a00b6e556a75aaad07fa5593cd95e
SHA256

4144804a61e31832b6d06340697e7c55bef1abdd0449d292ac37b06bedc50ead
SHA512

92fe096eebc1d1250c718927ca66ae2b9ac9897edc08b9bfb1c1d537169d9b3e5f081e42a072dd184aaf81c314bb0380c7e773bb434281d4d49e8fee433bcdde
SSDEEP

1536:NT5GJEhlcbW5sk19lfLvbeIbXWm+nwN6JYExD9qvg2mJJEjtEX:NdGu99lfzqIbXWm+w0JSg2mJOjtEX

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	s.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe
2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe
3020	s.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	3020	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 2360 wrote to memory of 3020	2360	87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32
PID 3020 wrote to memory of 2736	3020	s.exe	32

C:\Users\Admin\AppData\Local\Temp\87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87c76f0267ba4d8792e56c20ff94e29e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 264
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe

Filesize
42KB

MD5
6db9bdb35710d6ebc0803a1832de6f31

SHA1
424cedd506abc3026bef21b60093400fc34f426c

SHA256
82999ec44bff9c173bfc67a0996b1cff59cd4b369cbc5976d33eae566446e633

SHA512
d5dcd8a3f9c9468e35a312acf4eb697469b085049e4af99a02c66a83dc9ae9ef088d830f6d78524ba4634bc987c677329accf1d0a3a4e7e3c429115ab272d693

Download Submit
memory/3020-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads