1054d0f03e6b10c9f813fda68a39c8c5fc1e85c879e797250dd8486a5a9feae6

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 13:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe
Size

2.1MB
MD5

d207be4b9a704a1951372898e8bb01a4
SHA1

c9832ede73d1f2a4bce5c91eec7351ee8befabff
SHA256

1054d0f03e6b10c9f813fda68a39c8c5fc1e85c879e797250dd8486a5a9feae6
SHA512

9c4bddde681c8fdfbe8ecee3fca98a46c672c1a8e2373525635b1926b1d6157057b978a1342bb6fb822f35e619f78be54c7014c2fa501cd7b12f9f0e4d44f945
SSDEEP

49152:LIWxTdDQkIZXxve4D1JLZIJowmTVh99PaaiLGJfG:+ZBW4pHIJgTVhBiCG

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0017000000023444-9.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1180	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe
1180	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1180-1-0x0000000000400000-0x000000000062B000-memory.dmp	upx
behavioral2/memory/1180-2-0x0000000000400000-0x000000000062B000-memory.dmp	upx
behavioral2/memory/1180-3-0x0000000000400000-0x000000000062B000-memory.dmp	upx
behavioral2/files/0x0017000000023444-9.dat	upx
behavioral2/memory/1180-16-0x00000000056B0000-0x000000000570B000-memory.dmp	upx
behavioral2/memory/1180-12-0x00000000056B0000-0x000000000570B000-memory.dmp	upx
behavioral2/memory/1180-89-0x0000000000400000-0x000000000062B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2624	1180	WerFault.exe	82
3120	1180	WerFault.exe	82
1640	1180	WerFault.exe	82
4832	1180	WerFault.exe	82
4672	1180	WerFault.exe	82
748	1180	WerFault.exe	82
4868	1180	WerFault.exe	82
4776	1180	WerFault.exe	82
2268	1180	WerFault.exe	82
1740	1180	WerFault.exe	82
4924	1180	WerFault.exe	82
4948	1180	WerFault.exe	82
1036	1180	WerFault.exe	82
4148	1180	WerFault.exe	82
4524	1180	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1180	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe
1180	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe
1180	d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d207be4b9a704a1951372898e8bb01a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 944
  2⤵
  - Program crash
  PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 988
  2⤵
  - Program crash
  PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 988
  2⤵
  - Program crash
  PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1008
  2⤵
  - Program crash
  PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1104
  2⤵
  - Program crash
  PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1112
  2⤵
  - Program crash
  PID:748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1112
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1964
  2⤵
  - Program crash
  PID:4776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2016
  2⤵
  - Program crash
  PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1120
  2⤵
  - Program crash
  PID:1740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2072
  2⤵
  - Program crash
  PID:4924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2168
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2224
  2⤵
  - Program crash
  PID:1036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2072
  2⤵
  - Program crash
  PID:4148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 948
  2⤵
  - Program crash
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1180 -ip 1180
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1180 -ip 1180
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1180 -ip 1180
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1180 -ip 1180
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1180 -ip 1180
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1180 -ip 1180
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1180 -ip 1180
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1180 -ip 1180
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1180 -ip 1180
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1180 -ip 1180
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1180 -ip 1180
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1180 -ip 1180
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1180 -ip 1180
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1180 -ip 1180
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1180 -ip 1180
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{308EF7E6-D05D-476C-A53C-36079CD14604}.dll

Filesize
120KB

MD5
c9f333d1ff898672a34805f94a265329

SHA1
2deaac66698fb2e9b3868d23034c3211c508b739

SHA256
07e546811635574c77edfda126b0e5f5292b4ea13f35158eddedcfc3cbf74b6b

SHA512
048c71e48e2def0bfc69ebfb69b834d650a9377082782333f50728fdfd6675df8093d0c87e606022e55d09f81549d4ca3b640bcdd33b9ddc9aace03ee1466add

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\css\style.css

Filesize
2KB

MD5
bf7569fd66b7a398330ab7c1c31965a4

SHA1
efebe9b76fa49deda68efebfaed68f8b4880051f

SHA256
e34727af72f99606ffba57b2cacbcfb101e17fac2f86462d4bde8ff66024eba7

SHA512
2266db6fbbe0ae92c87332e13157114c5f2a72265b74e333bed6ae884346bdb1194b40c0fa127c05ad9287a2b5b80e864ab809b72f971abe02eb510ed2715f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\bg_bottom.jpg

Filesize
351B

MD5
f76e35ee80fcd4052ec4e4106a13f2d7

SHA1
1ccb169d78851733e3a384828c06021e1fdd279a

SHA256
a386a4e102b734e6085daa926d3a3950fcbe3c1631018d693095c17e86952a30

SHA512
ce6fc685581e784d1adcd8168c245bfcfe5868657be94c45459c533e318393123245d3a1eac9f6926bc0006dc520848ba6ce00e6a08889e3dd502c706fb1cb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\btn_install.jpg

Filesize
3KB

MD5
de97d4ffab1f89b692e05ae961aa2535

SHA1
7d44832261c41732db3522633c29a3abe9e0f662

SHA256
2eb33619ce06d76dd65e5b0196825ae11e089745af9549455cbe0a0c0356b117

SHA512
8f62c62d779bfd8184e21ca4ac533f6619d19c478333e6172015a7413df4743129ee17fad56390ce2e9dd1bdb1f41dd1af181cd43f8ad28e87abb0e8f76395dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\btn_quit.jpg

Filesize
2KB

MD5
a47dc0b965f9c5a12645a7cdce093963

SHA1
05efd59dcfd9bb580a2c2a10ffb83a1c7c0f0cbc

SHA256
f62f2bc6e542ec755f182d257c80d3b14d5c968ae52a2062239daf80445d3b42

SHA512
66867c0c94c2d651eace3fdbb498a86f68163502d70a0bb72ba3554de48818e60634471f6778e35dfbf7a5563d89b02eeeb93731557ee82949324da3df266d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\index.jpg

Filesize
19KB

MD5
53a64792cf0cf4184e6f925888a3fe4b

SHA1
3a242b9abf7c5d7722d0db3f864d1e58089577e3

SHA256
786d13444e1f52f3263ff9ace9e28b1dd4e5b897ab153f9bfec13050f87389fd

SHA512
e0d1fa6d50d4da2d780948e08eae474de9ae72ed54fb2554d0b6e50152f92be822fa500972ac56091631b445caa542ff927de36ef23edc203597e18dfe9ff3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\text1.jpg

Filesize
12KB

MD5
9a58c8baf22f4a76e6b119100a6e51f2

SHA1
1f86835339b552a3b6e67a15b2cfb9ab75037364

SHA256
b37196ce78804826cec7c75b398a9f434979cf3426c12de26c3210d4b89173e1

SHA512
6348e4bab6a92ad928253772171871592ca458bcb3d65beb82f64e8fbbf07d4e7d7a0fb1c86097dc182303a8055e17f3745d162536becd0c55cbf56363122bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\images\text2.jpg

Filesize
4KB

MD5
1965a6e2723f1370a3291a758d22701d

SHA1
59149b9630986114f82937cb92c3298cc52fe024

SHA256
9c33cc36d582d12421298180b6acf3856ee59485d4567c2fbd4c77bebec564d2

SHA512
f38decc62a42c6e53e05b95d8d82511ab82a802a7f93cd8a4b5f6dde28f8e310844276ff142e4096aaad4e7228b769cb90b988d30167b76cef5cc0e94650b067

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{1EBA0169-EEDD-42CD-81A7-957383A0FB8E}\page.html

Filesize
1KB

MD5
f4742470b3b88a5db15e9d70d9115c66

SHA1
a42ad7f088b7bee3d3a16529166bf4704991032b

SHA256
2a45de3d7f2842f07b4328b10a5a659aa17760c6748621f13183dddf49483cc6

SHA512
52c952a82a033c4f082361444d4d90534e2d3c2a87c1afc71cf13eddfaa4322ee1dfdf18dfbe8939a0787cf98df86ed295d0696a338f82d957768d43e62e7aff

Download Submit
memory/1180-0-0x00000000004C1000-0x00000000004C2000-memory.dmp

Filesize
4KB

Download
memory/1180-2-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1180-12-0x00000000056B0000-0x000000000570B000-memory.dmp

Filesize
364KB

Download
memory/1180-16-0x00000000056B0000-0x000000000570B000-memory.dmp

Filesize
364KB

Download
memory/1180-1-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1180-3-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1180-88-0x00000000004C1000-0x00000000004C2000-memory.dmp

Filesize
4KB

Download
memory/1180-89-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1180-91-0x00000000056B0000-0x000000000570B000-memory.dmp

Filesize
364KB

Download