92308efe1fc026148aad59db9055360c9c487d628daaff7e856cf2b2d154bf2a

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
Size

384KB
MD5

a0ddd0f176edbaefcec64c0402c8b44f
SHA1

a4d231f97c444285d7f78feb3a04d81e6a80c7b9
SHA256

92308efe1fc026148aad59db9055360c9c487d628daaff7e856cf2b2d154bf2a
SHA512

402198f2929895d788dcf19c233abee4148362855d30e536552a33fcb00cfaace2afeee24a9c1d5a16d676fefc43501a84f4256ecc5573c76b983db6b092c10a
SSDEEP

6144:d1WDKhasZAhpsereuegftOsvO6BbCViCLmVBZslF+v8VAymrpXWuazt2:zrBZAhplAg1Pv9uPLmV3slFa82yEVW

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3100	fD01803FfBaJ01803.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	fD01803FfBaJ01803.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4332-3-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/4332-12-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3100-15-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3100-23-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3100-30-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fD01803FfBaJ01803 = "C:\\ProgramData\\fD01803FfBaJ01803\\fD01803FfBaJ01803.exe"	fD01803FfBaJ01803.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4236	4332	WerFault.exe	85
4860	3100	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fD01803FfBaJ01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
Token: SeDebugPrivilege	3100	fD01803FfBaJ01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3100	fD01803FfBaJ01803.exe
3100	fD01803FfBaJ01803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3100	4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe	93
PID 4332 wrote to memory of 3100	4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe	93
PID 4332 wrote to memory of 3100	4332	a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 680
  2⤵
  - Program crash
  PID:4236
- C:\ProgramData\fD01803FfBaJ01803\fD01803FfBaJ01803.exe
  "C:\ProgramData\fD01803FfBaJ01803\fD01803FfBaJ01803.exe" "C:\Users\Admin\AppData\Local\Temp\a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 668
    3⤵
    - Program crash
    PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4332 -ip 4332
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3100 -ip 3100
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fD01803FfBaJ01803\fD01803FfBaJ01803.exe

Filesize
384KB

MD5
cc504626a5939536746651da16155310

SHA1
dc50ca61616d5704b421e3f8238734749f0607ba

SHA256
9fe56054be7ab3adbabd2bfcbc1cd8fae9a3200b88c1b5172dd0e2e6fd1c2e65

SHA512
5d186f6d16a896238f37c716457d343138e4a21084a5366f1a0013d20152eabf6af9fd9d28611a28ddb6bb68bf0c50d1f5c9d27633004ada9e742d94d870a5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0ddd0f176edbaefcec64c0402c8b44f_JaffaCakes118

Filesize
192B

MD5
d7fe44f3e78b361c64e03e903a17c220

SHA1
0a4112f823511df35b85b572359d5bf500b31c33

SHA256
e245b380b659d438bc7eadbf811299a261e38d496785be93f7430c249f182a65

SHA512
5fc43e4791ba351c9e6f06afe35898288978512e59d708076ee773a8fc3c2b41f5629c0e35b9cfa3d48e71089ae7517200ca5ade7f19c161e8642682406bd474

Download Submit
memory/3100-14-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3100-15-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3100-23-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3100-30-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4332-0-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/4332-3-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4332-12-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download