fbd85188189ccdeabfe9f8ad9c0da24c20ce2ea1ad38a923ec0a2f49ff3f809b

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe
Size

252KB
MD5

a743dcf0275d64c35b0b1bc6542a4d13
SHA1

9fa28a38f8f0a0e362a764fb66e73045287e3019
SHA256

fbd85188189ccdeabfe9f8ad9c0da24c20ce2ea1ad38a923ec0a2f49ff3f809b
SHA512

bfe9dc62355df31e3c3a5d0677dca4ebd22dd0212d30026c156751ca0a1043cdbb3b0c7005d8b15fdff9a5ae6de4beacc428c620cdea2d3a2dded9f2b237698d
SSDEEP

3072:+TJK5CeMQeMsRDnIP0b72RIzKq7VTT+ARLtAev7hgZfYIMGdSukbpah+HBJ0:+TJfDpa2zKqNTf5WNZwIMW2pxHBJ0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2640	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2640	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2640	816	a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe	32
PID 816 wrote to memory of 2640	816	a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe	32
PID 816 wrote to memory of 2640	816	a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe	32
PID 816 wrote to memory of 2640	816	a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2744	2640	SERVER.EXE	33
PID 2640 wrote to memory of 2744	2640	SERVER.EXE	33
PID 2640 wrote to memory of 2744	2640	SERVER.EXE	33
PID 2640 wrote to memory of 2744	2640	SERVER.EXE	33

C:\Users\Admin\AppData\Local\Temp\a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a743dcf0275d64c35b0b1bc6542a4d13_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816
- C:\SERVER.EXE
  "C:\SERVER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 88
    3⤵
    - Program crash
    PID:2744

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\13758381JM0.JPG

Filesize
125KB

MD5
09f410116816a4e0d8cf8744a8480cc7

SHA1
a6518b36e828055a3f36c96bed0563439997c7f0

SHA256
77ae190e7eff7ba2c1e4c2f1cdfee2028ff9d55243ca2c1b9570bba7b5c17d78

SHA512
83305045d5d4e1233e66a640c868b876ae091dbb21a751fd5ba0e2fa5cd347541f7a72f2d4e2a5cda472d7cc90e2d78dbd77487b719133a6efb321e0106fa098

Download Submit
C:\SERVER.EXE

Filesize
84KB

MD5
9385603f307f6d0cef14f33584b7c2d7

SHA1
35b804f9938d22236a41de4e32d0f70aeeaabf04

SHA256
dca0bd7f95d1647d46436390b5a3900da82e65cd85ccc4b65d1ae830546307f5

SHA512
0a3ce15669db18d66bfd3623241061859d8c10427ce516ffe45662dc4d34c0aa7475607b0a8aa48d7d24aad2ebc5f2aa01530fb1967eba79facf332c3fb2bbe2

Download Submit
memory/816-1-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/816-6-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/816-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2328-2-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2328-7-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2328-15-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2640-13-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download