986c6079856a063f4d31de1f4410eefe8ccc3934b25f9e971459a6fe18a99122

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe
Size

427KB
MD5

bd4e53d0ca48cfa71b0e5e6489cfecea
SHA1

5ff0b9a8728c305354b28575762a28ccbef62202
SHA256

986c6079856a063f4d31de1f4410eefe8ccc3934b25f9e971459a6fe18a99122
SHA512

88ec559f7f7c6bdfedd53f40be18cf6191e7c67203e5abef84f71553c2667ec5a1b2a0e71e4367709ba9a4b7565fac15f98b1ac3537daecefb2a14c62e6c1ed3
SSDEEP

6144:8cwuO3NYDsNAdnQWMAN6l5yjiqXRZtWpfvxs5kiha0Al3EsRy2LaQt:8c7O3N50BMukyHgG51A5WQ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1756	lKpGnNi01812.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	lKpGnNi01812.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-3-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3488-1-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3488-5-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1756-18-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3488-22-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1756-23-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1756-36-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3488-43-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lKpGnNi01812 = "C:\\ProgramData\\lKpGnNi01812\\lKpGnNi01812.exe"	lKpGnNi01812.exe

Program crash 25 IoCs

pid	pid_target	Process	procid_target
1172	3488	WerFault.exe	90
3656	1756	WerFault.exe	94
4400	3488	WerFault.exe	90
2548	1756	WerFault.exe	94
2256	3488	WerFault.exe	90
3256	1756	WerFault.exe	94
2608	3488	WerFault.exe	90
3192	1756	WerFault.exe	94
4484	3488	WerFault.exe	90
2912	1756	WerFault.exe	94
3680	3488	WerFault.exe	90
752	1756	WerFault.exe	94
4428	3488	WerFault.exe	90
1520	1756	WerFault.exe	94
4912	1756	WerFault.exe	94
4052	1756	WerFault.exe	94
1956	1756	WerFault.exe	94
3036	1756	WerFault.exe	94
1104	1756	WerFault.exe	94
1712	1756	WerFault.exe	94
3696	1756	WerFault.exe	94
2824	3488	WerFault.exe	90
4420	3488	WerFault.exe	90
5000	1756	WerFault.exe	94
1840	1756	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lKpGnNi01812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe
Token: SeDebugPrivilege	1756	lKpGnNi01812.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1756	lKpGnNi01812.exe
1756	lKpGnNi01812.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1756	lKpGnNi01812.exe
1756	lKpGnNi01812.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1756	lKpGnNi01812.exe
1756	lKpGnNi01812.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 1756	3488	bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe	94
PID 3488 wrote to memory of 1756	3488	bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe	94
PID 3488 wrote to memory of 1756	3488	bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\ProgramData\lKpGnNi01812\lKpGnNi01812.exe
  "C:\ProgramData\lKpGnNi01812\lKpGnNi01812.exe" "C:\Users\Admin\AppData\Local\Temp\bd4e53d0ca48cfa71b0e5e6489cfecea_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 756
    3⤵
    - Program crash
    PID:3656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 756
    3⤵
    - Program crash
    PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 808
    3⤵
    - Program crash
    PID:3256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 816
    3⤵
    - Program crash
    PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 920
    3⤵
    - Program crash
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1008
    3⤵
    - Program crash
    PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 988
    3⤵
    - Program crash
    PID:1520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1380
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1592
    3⤵
    - Program crash
    PID:4052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 632
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1580
    3⤵
    - Program crash
    PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1668
    3⤵
    - Program crash
    PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1780
    3⤵
    - Program crash
    PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1788
    3⤵
    - Program crash
    PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1812
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 760
    3⤵
    - Program crash
    PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 612
  2⤵
  - Program crash
  PID:1172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 784
  2⤵
  - Program crash
  PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 792
  2⤵
  - Program crash
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 832
  2⤵
  - Program crash
  PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 840
  2⤵
  - Program crash
  PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1000
  2⤵
  - Program crash
  PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1036
  2⤵
  - Program crash
  PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 636
  2⤵
  - Program crash
  PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 140
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3488 -ip 3488
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1756 -ip 1756
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3488 -ip 3488
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1756 -ip 1756
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3488 -ip 3488
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1756 -ip 1756
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3488 -ip 3488
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1756 -ip 1756
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3488 -ip 3488
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1756 -ip 1756
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3488 -ip 3488
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1756 -ip 1756
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3488 -ip 3488
1⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1756 -ip 1756
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1756 -ip 1756
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1756 -ip 1756
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1756 -ip 1756
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1756 -ip 1756
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1756 -ip 1756
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1756 -ip 1756
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1756 -ip 1756
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3488 -ip 3488
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3488 -ip 3488
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1756 -ip 1756
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1756 -ip 1756
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lKpGnNi01812\lKpGnNi01812.exe

Filesize
427KB

MD5
38a8c10b13489642ffbca3d50c98a298

SHA1
1e39fd65e167563f3df3487eb93391de5956abed

SHA256
a47556fa93c4eafe8d4e607e01445fa5276bae13ce302f116b7fcc17d37a596a

SHA512
cbe7e8d72a9d47d9b49c0c714ce0b44cfb9802ccffc31cf67358a81ba99e1741dce994d52b8a984cd563d0cc167c741e107aae843aa72b22c7e1ff3faaf379b2

Download Submit
memory/1756-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1756-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1756-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1756-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-5-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-0-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3488-21-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3488-22-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-4-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-3-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3488-43-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads