d40039cca6360c6e9300e132e0fb8547ae5044a4b84be8b8c1fbf75f0c0341ce

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa55c70f096251ce016a80aced0d2cf2_JaffaCakes118.exe
Size

644KB
MD5

aa55c70f096251ce016a80aced0d2cf2
SHA1

80f114edb58f9b90723666bc368d8e30425910b5
SHA256

d40039cca6360c6e9300e132e0fb8547ae5044a4b84be8b8c1fbf75f0c0341ce
SHA512

44d92dd2acab4cc708e9fa8066fee9ac75183ea932d6093774c3b6021aab27803f12857725f1003ecf69faca653b3ffa8a85b04b8d95d117373658ac3025c464
SSDEEP

12288:1+QIEh1bjmvllIOmziNYKyfmdPMJikVK4D4rr3zeLYW4H/31r5tIU:M+jmvZmOpAvur/v

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4856	648.exe
3340	file1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002344f-19.dat	upx
behavioral2/memory/3340-21-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3340-23-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	3340	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4856	2328	aa55c70f096251ce016a80aced0d2cf2_JaffaCakes118.exe	85
PID 2328 wrote to memory of 4856	2328	aa55c70f096251ce016a80aced0d2cf2_JaffaCakes118.exe	85
PID 4856 wrote to memory of 3340	4856	648.exe	89
PID 4856 wrote to memory of 3340	4856	648.exe	89
PID 4856 wrote to memory of 3340	4856	648.exe	89

C:\Users\Admin\AppData\Local\Temp\aa55c70f096251ce016a80aced0d2cf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa55c70f096251ce016a80aced0d2cf2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\648.exe
  C:\Users\Admin\AppData\Local\Temp\648.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\file1.exe
    file1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 428
      4⤵
      Program crash
      PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3340 -ip 3340
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\648.exe

Filesize
235KB

MD5
eff386e31faa25d5c8626a46534007e1

SHA1
9de25afba9f01e9ddc7f03015f3f470fc34c03a8

SHA256
2e30b2876328c1e28f39142fb1cda9b0c156cacc6be8ccc3857281d1d9462884

SHA512
b83def49d73711169f5877171058c911608fa1a1575c6638287c15f32daa8d4453248cfca867afc1b2403121be1d67aa375c9f9ff0c4a031c227a3c8e2e04199

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
106KB

MD5
d62dc214b11182419dfc3d6144dd50ae

SHA1
8a40b864eadc32b33b32b86db1d552035e137960

SHA256
fcadb673e7eba37c2e4a4dd941ea464ca8704177d9e0db22ff58e4ac63ad233b

SHA512
28e6760809069bc40df7023196f7d33c792fc30cd5977b5ba0c145aee3d395a9dbda897db5150b117734363bf0fc91f8d7e2fa61a494c2931d9ee3d51df42221

Download Submit
memory/2328-16-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/2328-1-0x000000001BA10000-0x000000001BAB6000-memory.dmp

Filesize
664KB

Download
memory/2328-3-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/2328-0-0x00007FFF6DF35000-0x00007FFF6DF36000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/3340-23-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3340-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4856-8-0x000000001B7D0000-0x000000001BC9E000-memory.dmp

Filesize
4.8MB

Download
memory/4856-13-0x000000001BED0000-0x000000001BF1C000-memory.dmp

Filesize
304KB

Download
memory/4856-14-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/4856-12-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/4856-11-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/4856-10-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/4856-9-0x000000001BD70000-0x000000001BE0C000-memory.dmp

Filesize
624KB

Download
memory/4856-25-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download
memory/4856-26-0x00007FFF6DC80000-0x00007FFF6E621000-memory.dmp

Filesize
9.6MB

Download