Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-09-2024 15:21
General
-
Target
faa68f4cac61953b31bd4fdf8e11f765_JaffaCakes118.exe
-
Size
186KB
-
MD5
faa68f4cac61953b31bd4fdf8e11f765
-
SHA1
62aa856e75853bd4c7b96fe20d2dc34b448944da
-
SHA256
b394810f960459d683316463f67f7c95a2b2cdc736573b0b021f630f1b5754e3
-
SHA512
663474d3724ad9e96038900044f4c9f096f482542d727e60b9e7a48f481c07e21e544926ae20c71e58d00967a064565e940c409c0775847593c60cc32f8cbb4d
-
SSDEEP
3072:4LbKuZKzXw2RjwkfqrIWUEbskfsmbL9Nn0uNFi+O0xShCzukYr+:ehKDHpwspcb4mn9Nr5OCgCzuBK
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\faa68f4cac61953b31bd4fdf8e11f765_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\faa68f4cac61953b31bd4fdf8e11f765_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe8⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe10⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe12⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe13⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe15⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe16⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe17⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe18⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe19⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe20⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe21⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe22⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe23⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe24⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe25⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe26⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe27⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe28⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe29⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe30⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe31⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe32⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe33⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe34⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe35⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe36⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe37⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe38⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe40⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe41⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe42⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe43⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe44⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe45⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe46⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe47⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe48⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe49⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe50⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe51⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe52⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe53⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe54⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe55⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe56⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe57⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe58⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe59⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe60⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe61⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe62⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe63⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe64⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe66⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe67⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe68⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe69⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe70⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe71⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe72⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe73⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe74⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe75⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe76⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe77⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe78⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe79⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe80⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe81⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe82⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe83⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe84⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe85⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe86⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe87⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe88⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe89⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe90⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe91⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe92⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe93⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe94⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe95⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe96⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe97⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe98⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe99⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe100⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe101⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe102⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe103⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe104⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe105⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe106⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe107⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe108⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe109⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe110⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe111⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe112⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe113⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe114⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe115⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe116⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe117⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe118⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe119⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe120⤵
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-