Overview

overview

6

Static

static

3

e0c5cf2f38...18.exe

windows7-x64

6

e0c5cf2f38...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    121s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0c5cf2f3842d8ee76c1209304c90b03_JaffaCakes118.exe

  • Size

    423KB

  • MD5

    e0c5cf2f3842d8ee76c1209304c90b03

  • SHA1

    5c849ec994803c11ccbf845474793076e3ed7750

  • SHA256

    140b6a94300ae3033e33e6c7a98f0bf64ddf669926cd1c7b3315c3f3fac6f031

  • SHA512

    7a63a3fb0e50862cb1ac406fc4ea203ba6a7c865291fef6efab7e38269db18f72e7917395a446ab353a0e8507281d328e89c4a15ee9eb7c592a238d63047deb1

  • SSDEEP

    6144:uWrd4M+9IlrTo/6Zcn4T2wKO+y56SPDtpatLKw/HvP+6V+2ltjUDBEiTuNiF1x2W:uapoU2wmy56sp9w/3rqyjohvE0/

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0c5cf2f3842d8ee76c1209304c90b03_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0c5cf2f3842d8ee76c1209304c90b03_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 400
      2⤵
      • Program crash
      PID:4924
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1972
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 360
        3⤵
        • Program crash
        PID:3708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1416 -ip 1416
    1⤵
      PID:2348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1972 -ip 1972
      1⤵
        PID:4048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\ProgramData\MyaafgH\EwqlgaO\WjkpslS.exe
        Filesize

        423KB

        MD5

        e0c5cf2f3842d8ee76c1209304c90b03

        SHA1

        5c849ec994803c11ccbf845474793076e3ed7750

        SHA256

        140b6a94300ae3033e33e6c7a98f0bf64ddf669926cd1c7b3315c3f3fac6f031

        SHA512

        7a63a3fb0e50862cb1ac406fc4ea203ba6a7c865291fef6efab7e38269db18f72e7917395a446ab353a0e8507281d328e89c4a15ee9eb7c592a238d63047deb1

        Download Submit

      • memory/1416-16-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1416-2-0x00000000007D0000-0x0000000000817000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1416-5-0x0000000002690000-0x0000000002709000-memory.dmp

        Filesize

        484KB

        Download

      • memory/1416-4-0x0000000000520000-0x000000000052D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1416-3-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1416-6-0x0000000002260000-0x0000000002261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1416-0-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1416-17-0x00000000007D0000-0x0000000000817000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1972-14-0x0000000000F70000-0x0000000000FB7000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1972-12-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1972-13-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1972-11-0x0000000000D60000-0x0000000000D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-18-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1972-20-0x00000000034C0000-0x0000000003539000-memory.dmp

        Filesize

        484KB

        Download

      • memory/1972-19-0x0000000000EB0000-0x0000000000EBD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1972-21-0x0000000003280000-0x0000000003281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-22-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1972-23-0x0000000000F70000-0x0000000000FB7000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1972-10-0x0000000000400000-0x0000000000500000-memory.dmp

        Filesize

        1024KB

        Download