f3765223815e67c9a1aa45aa4b8f3a18dd8ee23a60d9e3e01eb4f2b5e86e1abd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
Size

212KB
MD5

b0fc90a88819b999d202dc22cf5f35c9
SHA1

1d4d72975666a994012689e87e201e1cc75620d0
SHA256

f3765223815e67c9a1aa45aa4b8f3a18dd8ee23a60d9e3e01eb4f2b5e86e1abd
SHA512

e2a7fdc4ed5b3d4b3a93d1e883bc47668b1ae0e4acfabb349b752892c00a60140f9bc28c4da49be53644df4cc23c6f334e13b090db9e0c745ad62b3ca9b5cead
SSDEEP

6144:KAEkK6rmEnOwO6esxm1XwY7XEjZufoKEy:dT3rnOwO8xm1XPX8qwy

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2888	Hnifua.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1752-0-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral2/memory/1752-3-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral2/files/0x000b0000000233d9-11.dat	upx
behavioral2/memory/2888-13-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
File created	C:\Windows\Hnifua.exe	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
File opened for modification	C:\Windows\Hnifua.exe	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Hnifua.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Hnifua.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
90280	2888	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnifua.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	Hnifua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe
2888	Hnifua.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2888	1752	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe	86
PID 1752 wrote to memory of 2888	1752	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe	86
PID 1752 wrote to memory of 2888	1752	b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0fc90a88819b999d202dc22cf5f35c9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\Hnifua.exe
  C:\Windows\Hnifua.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 836
    3⤵
    - Program crash
    PID:90280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 2888
1⤵
PID:90252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hnifua.exe

Filesize
212KB

MD5
b0fc90a88819b999d202dc22cf5f35c9

SHA1
1d4d72975666a994012689e87e201e1cc75620d0

SHA256
f3765223815e67c9a1aa45aa4b8f3a18dd8ee23a60d9e3e01eb4f2b5e86e1abd

SHA512
e2a7fdc4ed5b3d4b3a93d1e883bc47668b1ae0e4acfabb349b752892c00a60140f9bc28c4da49be53644df4cc23c6f334e13b090db9e0c745ad62b3ca9b5cead

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
1e58ed27da801019f507f24c3ec9d033

SHA1
9d0f2faa416057de6bc9f0978c33ec0dda7bb1b1

SHA256
efe145d2c12db687bca576ae473e613d81a68267672fe4a81434a242cbaf0721

SHA512
c7a30303a50c2923fc2f5a56a37c897b0db55de57de629020c035cf85946434dbebf9a51fbb2b6935fcc2aaba7b79022fcce523fddee5a4da857fcd941e8cfe0

Download Submit
memory/1752-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1752-5871-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1752-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1752-2-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1752-3-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1752-51594-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1752-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1752-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-50968-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-64042-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-138420-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-138419-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download