b2d022b53c4217b6a69d459cfe7abee3e2ecd9a677ae79b85b08c4b1ae1466a8

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
Size

7.3MB
MD5

fec94116ec979656289c7f6dbac7d110
SHA1

c8f237aa8d88744b38b91b73b2e45079cc6137c1
SHA256

b2d022b53c4217b6a69d459cfe7abee3e2ecd9a677ae79b85b08c4b1ae1466a8
SHA512

41d79ee510336427ae515f146ed04fb67bdc93f3794716040d2167fb548f2d7e90ebcebe201fd115c74aa8e3e8a451f317256bbe05b59c10739e3a58c85a4d0f
SSDEEP

768:LyNovA586VA/H/pAcbVugAFBbadjHO+yav9Hps61JqL0L0LVLj:L7t5ZbVug2Fada+y0BpbDqL0L0LVLj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	ICWCONN1.EXE

Loads dropped DLL 5 IoCs

pid	Process
2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	1664	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICWCONN1.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1664	2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1664	2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1664	2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1664	2276	fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe	28
PID 1664 wrote to memory of 1980	1664	ICWCONN1.EXE	29
PID 1664 wrote to memory of 1980	1664	ICWCONN1.EXE	29
PID 1664 wrote to memory of 1980	1664	ICWCONN1.EXE	29
PID 1664 wrote to memory of 1980	1664	ICWCONN1.EXE	29

C:\Users\Admin\AppData\Local\Temp\fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fec94116ec979656289c7f6dbac7d110_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE
  "C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE" C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\FEC94116EC979656289C7F6DBAC7D110_JAFFACAKES118.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ONLINE SERVICES\ICWCONN1.EXE

Filesize
16.7MB

MD5
c4e2a73f4504cb7a0eb0f4217f343ee9

SHA1
66a884f8c0c84e96d54a70904f401846bbe183d8

SHA256
f62d6bb9ec6b2b32d6470c7265e0f181fb7974c00fe01a995268ffceae00447a

SHA512
4f6e678369e5c9de7b0dcda0b970b7edc410543cd007073a56cee6a0e470b0855a7ea476515a9410092147b061793ffc8596dbbf476ce7937255578313797122

Download Submit
memory/1664-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1664-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2276-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2276-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2276-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2276-15-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2276-14-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download