946ea994983629eef87cd29a44e6d5055be502c283b7823ed64bc65bd557ab9d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3d435b00d1492520ce684b4007b424_JaffaCakes118.exe
Size

217KB
MD5

bb3d435b00d1492520ce684b4007b424
SHA1

9d6cbff957aaf597f52a22aa6c8bb04526c718cd
SHA256

946ea994983629eef87cd29a44e6d5055be502c283b7823ed64bc65bd557ab9d
SHA512

73f5c9ab3b48a4ff5810709d877e100285bd659cb49b762193febae2f025a8cb259f475afda6149ac98c9f1abcd3c01d2a09759d49f7f8d410722e7b88ce1915
SSDEEP

6144:UxVYfi8e7Xh/Cyx4R1lT+D2OO7+vnyRDXc+SG:aVXh/JGRjT5OADc+h

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\svajnager.exe	bb3d435b00d1492520ce684b4007b424_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	svajnager.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0004000000005c50-5.dat	upx
behavioral1/memory/2716-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\keys.ini	bb3d435b00d1492520ce684b4007b424_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	2716	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svajnager.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2776	2716	svajnager.exe	31
PID 2716 wrote to memory of 2776	2716	svajnager.exe	31
PID 2716 wrote to memory of 2776	2716	svajnager.exe	31
PID 2716 wrote to memory of 2776	2716	svajnager.exe	31

C:\Users\Admin\AppData\Local\Temp\bb3d435b00d1492520ce684b4007b424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb3d435b00d1492520ce684b4007b424_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:2220

C:\Windows\SysWOW64\drivers\svajnager.exe
C:\Windows\SysWOW64\drivers\svajnager.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 224
  2⤵
  - Program crash
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\svajnager.exe

Filesize
217KB

MD5
bb3d435b00d1492520ce684b4007b424

SHA1
9d6cbff957aaf597f52a22aa6c8bb04526c718cd

SHA256
946ea994983629eef87cd29a44e6d5055be502c283b7823ed64bc65bd557ab9d

SHA512
73f5c9ab3b48a4ff5810709d877e100285bd659cb49b762193febae2f025a8cb259f475afda6149ac98c9f1abcd3c01d2a09759d49f7f8d410722e7b88ce1915

Download Submit
memory/2220-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2220-2-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2220-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2220-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2220-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2716-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2716-9-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2716-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2716-11-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download