Overview

overview

10

Static

static

3

9fe2844341...18.exe

windows7-x64

5

9fe2844341...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fe28443416a84b4bf6978d007dc0c74_JaffaCakes118.exe

  • Size

    71KB

  • MD5

    9fe28443416a84b4bf6978d007dc0c74

  • SHA1

    1d10dc0f72a4956e5283bf5dfcf75c974cdd04ea

  • SHA256

    bb9cc5de409a0c547d90580cc5508f2b11a188530501274536334a393faa93ae

  • SHA512

    3cb81b3b8f81a493b6a6d4b4418c8c68422068a4bb06f7aa4daeadefe258a5d1d3b1c6d01fedaf7d2df272f3693e415ed36048bec1e14738674e01ce79feec19

  • SSDEEP

    1536:PDqiIm+Oi/W6S/bs9cjja9yZfgt1OiMIik0BjIz:PD+J/Y/NLfgt1R0BjIz

Score
10/10
discoveryevasionexecutionpersistence

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fe28443416a84b4bf6978d007dc0c74_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9fe28443416a84b4bf6978d007dc0c74_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Users\Admin\AppData\Local\Temp\9fe28443416a84b4bf6978d007dc0c74_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\9fe28443416a84b4bf6978d007dc0c74_JaffaCakes118.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3548
      • \??\c:\windows\SysWOW64\cmd.exe
        c:\windows\system32\cmd.exe /c net stop bits&net stop cryptsvc&sc config cryptsvc start= disabled&sc delete cryptsvc
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\SysWOW64\net.exe
          net stop bits
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop bits
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1620
        • C:\Windows\SysWOW64\net.exe
          net stop cryptsvc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop cryptsvc
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4904
        • C:\Windows\SysWOW64\sc.exe
          sc config cryptsvc start= disabled
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4072
        • C:\Windows\SysWOW64\sc.exe
          sc delete cryptsvc
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 320
        3⤵
        • Program crash
        PID:1476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3548 -ip 3548
    1⤵
      PID:4584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3548-0-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3548-1-0x0000000000400000-0x00000000004219B0-memory.dmp

      Filesize

      134KB

      Download

    • memory/3548-3-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3548-6-0x0000000000400000-0x00000000004219B0-memory.dmp

      Filesize

      134KB

      Download

    • memory/3548-7-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download