0744154e6e0ee03d382ec6fe35b2b67b818e9c5ed6e3133656861491e61ad43e

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe
Size

972KB
MD5

bff21fce41848684f8383e2a47b34119
SHA1

9837db9be3ebad237affa30449e2da721b548af2
SHA256

0744154e6e0ee03d382ec6fe35b2b67b818e9c5ed6e3133656861491e61ad43e
SHA512

287ddcb843ff713d2c8cfa082ee405e53b7700f5c664944458b22a4884f25d20fb6d8d50dfefdab1a8f8ca90d2d866d3f36df02aa513056456cd8833724e4b02
SSDEEP

24576:GBjOd7DZ4Ku0uCgzCMxNIQcHRQmX0VTz3:Aj2D6NzCcJmEx

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000234af-64.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
3724	SERVER~1.EXE
1628	EntMian.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EntMian.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE
File created	C:\Windows\EntMian.exe	SERVER~1.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1532	3724	WerFault.exe	84
704	1628	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EntMian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3724	SERVER~1.EXE
Token: SeDebugPrivilege	1628	EntMian.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1628	EntMian.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3724	4624	bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe	84
PID 4624 wrote to memory of 3724	4624	bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe	84
PID 4624 wrote to memory of 3724	4624	bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe	84
PID 1628 wrote to memory of 1892	1628	EntMian.exe	94
PID 1628 wrote to memory of 1892	1628	EntMian.exe	94
PID 3724 wrote to memory of 1164	3724	SERVER~1.EXE	100
PID 3724 wrote to memory of 1164	3724	SERVER~1.EXE	100
PID 3724 wrote to memory of 1164	3724	SERVER~1.EXE	100

C:\Users\Admin\AppData\Local\Temp\bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bff21fce41848684f8383e2a47b34119_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 324
    3⤵
    - Program crash
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3724 -ip 3724
1⤵
PID:5084

C:\Windows\EntMian.exe
C:\Windows\EntMian.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 320
  2⤵
  - Program crash
  PID:704
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1628 -ip 1628
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
523KB

MD5
d382417e5649349619a48ff99a1e3ecc

SHA1
339311b721bd92cc2a061d5c792933cd06ee622e

SHA256
06d3163f240cc241bbece84c89e7a71d4bc8c2df42770685dfd8e7cb3a3ab45b

SHA512
bfa63348a83806f0837f11d6fedebad49daa2c5adcdfb60de1c2f212d070be767fc3f2174fb56073bd68c3117e99bcea03a22c22e832ed6dfceef13e936765c0

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
memory/1628-81-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3724-77-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4624-0-0x0000000001000000-0x0000000001221000-memory.dmp

Filesize
2.1MB

Download
memory/4624-1-0x0000000000900000-0x0000000000954000-memory.dmp

Filesize
336KB

Download
memory/4624-3-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4624-9-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-8-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4624-7-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4624-6-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4624-5-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4624-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4624-2-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4624-10-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4624-58-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-60-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-59-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-57-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-56-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-55-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-54-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-53-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-52-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-51-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-50-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-49-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-48-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-47-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-46-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-45-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-44-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-43-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-42-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-41-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-40-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-39-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-38-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-37-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-36-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-35-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4624-34-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4624-33-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4624-32-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4624-31-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4624-30-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-29-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4624-28-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4624-27-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4624-26-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4624-25-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4624-24-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4624-23-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4624-22-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4624-21-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4624-20-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-19-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-18-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-17-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4624-16-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-15-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-14-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-13-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-12-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-11-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-68-0x0000000001000000-0x0000000001221000-memory.dmp

Filesize
2.1MB

Download
memory/4624-71-0x0000000000900000-0x0000000000954000-memory.dmp

Filesize
336KB

Download
memory/4624-74-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-73-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-72-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4624-79-0x0000000001000000-0x0000000001221000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads