85b9933bd8318e5643da0fe1f27a802e3ea46358641341a85a4bef39e22843f9

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 01:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe
Size

700KB
MD5

a91c0b1a63856e419d1f899ab20e3015
SHA1

d5461efec07edf1f33c9f0b40060a11d057243f1
SHA256

85b9933bd8318e5643da0fe1f27a802e3ea46358641341a85a4bef39e22843f9
SHA512

505682c930d25e39c66b09ea97a5bfa7c3bf77397885b82027515ecd5a718dfe6f74b37afb2b58143636a752b2d73565f4cc128f1ff8de06d8d7867048dbe3c5
SSDEEP

12288:/mgnpb1tiMrdNtfbtGcC93jhX35oV3cAJzpDqF3Z4mxx1DqVTVOCN:OUb1tiMrdHgcK3jhXpw3RtWQmXEVTzN

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	10.exe

Loads dropped DLL 6 IoCs

pid	Process
1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe
1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	2840	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2840	1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2840	1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2840	1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2840	1460	a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe	30
PID 2840 wrote to memory of 3032	2840	10.exe	31
PID 2840 wrote to memory of 3032	2840	10.exe	31
PID 2840 wrote to memory of 3032	2840	10.exe	31
PID 2840 wrote to memory of 3032	2840	10.exe	31

C:\Users\Admin\AppData\Local\Temp\a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a91c0b1a63856e419d1f899ab20e3015_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\10.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\10.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 44
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\10.exe

Filesize
328KB

MD5
082cec8162f276f92c476b8130e828f5

SHA1
e909b3bc0cff6c6ec12aa0574f33c230ddabaa14

SHA256
61c1425b4b72391ebac0654a826cb3387fcd09694040963f34264559c2dca9fd

SHA512
a2f6f7c7d285d2f91728e66373b7ff8a6f16515388b33f6119298732ff0c88a1df16f7983ee8975fdd68ebab5291f63c82370454e98ce9c2dd15c853adde17bc

Download Submit
memory/1460-1-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/1460-0-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/1460-43-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/1460-42-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1460-45-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1460-44-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1460-41-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1460-40-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1460-39-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1460-38-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1460-37-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1460-36-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1460-35-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1460-34-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1460-33-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1460-32-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1460-31-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1460-30-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1460-29-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1460-28-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1460-27-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1460-26-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1460-25-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1460-24-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1460-23-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1460-22-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-21-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-20-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-19-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-18-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-17-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-16-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-15-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-14-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-13-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-12-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1460-11-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-10-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-9-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1460-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1460-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1460-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1460-4-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1460-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1460-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1460-54-0x0000000003840000-0x000000000392B000-memory.dmp

Filesize
940KB

Download
memory/1460-55-0x0000000003840000-0x000000000392B000-memory.dmp

Filesize
940KB

Download
memory/1460-62-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/1460-63-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/1460-64-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1460-65-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2840-57-0x0000000001000000-0x00000000010EB000-memory.dmp

Filesize
940KB

Download
memory/2840-67-0x0000000001000000-0x00000000010EB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads