05383f03f867b2293d9d991acfb03576bcd07c9e4d2f9afd60de54e59a9fbb5a

Analysis

max time kernel
140s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe
Size

722KB
MD5

8877731ac9d89376ec760076289c94b7
SHA1

3507d10ca1db3965abe913beda4fe25c1a80a6a7
SHA256

05383f03f867b2293d9d991acfb03576bcd07c9e4d2f9afd60de54e59a9fbb5a
SHA512

af2966b96c712825057d5dabcfc3fa9280b637eb5fdf8acaa31342623dc327bbd05594cf67998b509a2ecdb55f7175015c124f00fed3a809edcf95c94c4e948b
SSDEEP

12288:ZOigytK/0Oxj2BuBgKZ+SawSr1Nqn3YQ1F3Z4mxx6DqVTVOCo:ZOaEsojiuBgKBa7NFQ1QmXBVTzo

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	2.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe
2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2952	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2952	2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2952	2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2952	2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2952	2244	8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2980	2952	2.exe	31
PID 2952 wrote to memory of 2980	2952	2.exe	31
PID 2952 wrote to memory of 2980	2952	2.exe	31
PID 2952 wrote to memory of 2980	2952	2.exe	31

C:\Users\Admin\AppData\Local\Temp\8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8877731ac9d89376ec760076289c94b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
345KB

MD5
30d1c597d540e7f2c24d2d85f6261785

SHA1
d35e84805a97b91413d5e468016f8dfdebaf5e8a

SHA256
169b1d448df93e2e0df3b295b7aa8c3aada47d3ef24bf01b9d7ea05767b9665a

SHA512
9b0b73423728d078a55e6dbd60669f364953b585119c0470f3e34fe36523778cb4d24b345a3cd1d24bc0e16f346f033055876faf51d61d85671d6d04106a835f

Download Submit
memory/2244-13-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-56-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-34-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2244-33-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2244-32-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2244-31-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2244-30-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2244-29-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2244-28-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2244-27-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2244-26-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2244-25-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2244-24-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2244-23-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2244-22-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2244-21-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2244-20-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-19-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-18-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-16-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-15-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2244-35-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2244-10-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-12-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-9-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2244-7-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2244-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2244-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2244-4-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2244-3-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x0000000001000000-0x0000000001124000-memory.dmp

Filesize
1.1MB

Download
memory/2244-48-0x0000000001000000-0x0000000001124000-memory.dmp

Filesize
1.1MB

Download
memory/2244-62-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-52-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2244-58-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-57-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-55-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-54-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-53-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-59-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-61-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2244-60-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2952-49-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads