bf8f4c6bbf22d6352f25ba618c716b81573c42337f60ca832de0a7b98b5eb8b9

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe
Size

137KB
MD5

aca13bfff2cf2b950e6bceddc343d550
SHA1

f80d713ec00a20e89a8f4eb392b463e5004f1ecd
SHA256

bf8f4c6bbf22d6352f25ba618c716b81573c42337f60ca832de0a7b98b5eb8b9
SHA512

e63dcf8984d68b331298b0df94217f9040b6ab694164dcfd69b9ef6864d38777d3670d353125112dd747732301f52cf34837e115cfb521ce2069556e0c6e966d
SSDEEP

3072:SGzRawgUiBJGLe1veolNd2eyxwrshzW8O6RZIGKhZYWA2:JlFJ2p1lNvLshaMioq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
612	1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\1.exe	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	612	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 612	2208	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe	30
PID 2208 wrote to memory of 612	2208	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe	30
PID 2208 wrote to memory of 612	2208	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe	30
PID 2208 wrote to memory of 612	2208	aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe	30
PID 612 wrote to memory of 2844	612	1.exe	31
PID 612 wrote to memory of 2844	612	1.exe	31
PID 612 wrote to memory of 2844	612	1.exe	31
PID 612 wrote to memory of 2844	612	1.exe	31

C:\Users\Admin\AppData\Local\Temp\aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aca13bfff2cf2b950e6bceddc343d550_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 44
    3⤵
    - Program crash
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1.exe

Filesize
121KB

MD5
917f4d6a6a1bfc9cce7b4403cc9a8d31

SHA1
277ddf8411c71b42547292f476c6d1b37a087d09

SHA256
395cf5fcd732113e6ab119411b45afe6e2eccc6b6ae5eb5beca0f687796865b4

SHA512
ef328f400026f3fde76f159a24567dfe9dbf25c5e97b03c78710ef0c04fab77b264397e5d7e10289fde26f716e048ed8cd007b552bf44cafe8d4c94798c1a0f7

Download Submit
memory/612-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-0-0x0000000000400000-0x0000000000423200-memory.dmp

Filesize
140KB

Download
memory/2208-4-0x0000000002930000-0x0000000002973000-memory.dmp

Filesize
268KB

Download
memory/2208-9-0x0000000002930000-0x0000000002973000-memory.dmp

Filesize
268KB

Download
memory/2208-10-0x0000000000400000-0x0000000000423200-memory.dmp

Filesize
140KB

Download