09110516ddf386aa2a12786534aa776e7d7ce3139f29f28b9444809a37ba60ac

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe
Size

152KB
MD5

fba00cc3560b2f63732b8fdcf44a97c7
SHA1

658f3e2ccc76466e7013b5ba3c7a8d015f8dbc44
SHA256

09110516ddf386aa2a12786534aa776e7d7ce3139f29f28b9444809a37ba60ac
SHA512

89287ed9445a809a8c0b5c38924d38341c862f0b409e1acf73239dca40e20c1861db8c37a8b6c7fc109551e2410214b28e40467b1cdaac0a72d81078dd624168
SSDEEP

3072:w8qtJCWXzfYrE1Oo9tghFX9yRoDo3ZsFql04:w8+JCWXzfTsojvc1qi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3280	wuamgrd.exe
2992	wuamgrd.exe
4636	wuamgrd.exe
60	wuamgrd.exe
3616	wuamgrd.exe
1188	wuamgrd.exe
2888	wuamgrd.exe
2972	wuamgrd.exe
3188	wuamgrd.exe
1332	wuamgrd.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3280	4936	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe	82
PID 4936 wrote to memory of 3280	4936	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe	82
PID 4936 wrote to memory of 3280	4936	fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe	82
PID 3280 wrote to memory of 2992	3280	wuamgrd.exe	88
PID 3280 wrote to memory of 2992	3280	wuamgrd.exe	88
PID 3280 wrote to memory of 2992	3280	wuamgrd.exe	88
PID 2992 wrote to memory of 4636	2992	wuamgrd.exe	92
PID 2992 wrote to memory of 4636	2992	wuamgrd.exe	92
PID 2992 wrote to memory of 4636	2992	wuamgrd.exe	92
PID 4636 wrote to memory of 60	4636	wuamgrd.exe	94
PID 4636 wrote to memory of 60	4636	wuamgrd.exe	94
PID 4636 wrote to memory of 60	4636	wuamgrd.exe	94
PID 60 wrote to memory of 3616	60	wuamgrd.exe	95
PID 60 wrote to memory of 3616	60	wuamgrd.exe	95
PID 60 wrote to memory of 3616	60	wuamgrd.exe	95
PID 3616 wrote to memory of 1188	3616	wuamgrd.exe	96
PID 3616 wrote to memory of 1188	3616	wuamgrd.exe	96
PID 3616 wrote to memory of 1188	3616	wuamgrd.exe	96
PID 1188 wrote to memory of 2888	1188	wuamgrd.exe	97
PID 1188 wrote to memory of 2888	1188	wuamgrd.exe	97
PID 1188 wrote to memory of 2888	1188	wuamgrd.exe	97
PID 2888 wrote to memory of 2972	2888	wuamgrd.exe	98
PID 2888 wrote to memory of 2972	2888	wuamgrd.exe	98
PID 2888 wrote to memory of 2972	2888	wuamgrd.exe	98
PID 2972 wrote to memory of 3188	2972	wuamgrd.exe	99
PID 2972 wrote to memory of 3188	2972	wuamgrd.exe	99
PID 2972 wrote to memory of 3188	2972	wuamgrd.exe	99
PID 3188 wrote to memory of 1332	3188	wuamgrd.exe	100
PID 3188 wrote to memory of 1332	3188	wuamgrd.exe	100
PID 3188 wrote to memory of 1332	3188	wuamgrd.exe	100

C:\Users\Admin\AppData\Local\Temp\fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\wuamgrd.exe
  C:\Windows\system32\wuamgrd.exe 1160 "C:\Users\Admin\AppData\Local\Temp\fba00cc3560b2f63732b8fdcf44a97c7_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\wuamgrd.exe
    C:\Windows\system32\wuamgrd.exe 1148 "C:\Windows\SysWOW64\wuamgrd.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\wuamgrd.exe
      C:\Windows\system32\wuamgrd.exe 1120 "C:\Windows\SysWOW64\wuamgrd.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1124 "C:\Windows\SysWOW64\wuamgrd.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1128 "C:\Windows\SysWOW64\wuamgrd.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1132 "C:\Windows\SysWOW64\wuamgrd.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1136 "C:\Windows\SysWOW64\wuamgrd.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1140 "C:\Windows\SysWOW64\wuamgrd.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1144 "C:\Windows\SysWOW64\wuamgrd.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 1164 "C:\Windows\SysWOW64\wuamgrd.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wuamgrd.exe

Filesize
152KB

MD5
fba00cc3560b2f63732b8fdcf44a97c7

SHA1
658f3e2ccc76466e7013b5ba3c7a8d015f8dbc44

SHA256
09110516ddf386aa2a12786534aa776e7d7ce3139f29f28b9444809a37ba60ac

SHA512
89287ed9445a809a8c0b5c38924d38341c862f0b409e1acf73239dca40e20c1861db8c37a8b6c7fc109551e2410214b28e40467b1cdaac0a72d81078dd624168

Download Submit