a1c033d050f9e60f87abe71a9b14a85b747bbaf2abbea3bc0c766b76bfd5f8cf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Size

2.0MB
MD5

083b44615f4858b75388d2447f19cc9b
SHA1

2cd44ab4ca2714964e5566ee2b208d462d985140
SHA256

a1c033d050f9e60f87abe71a9b14a85b747bbaf2abbea3bc0c766b76bfd5f8cf
SHA512

ab2e02ec0f16b9f4188be1c466675fafde29d1345864639a135b7fad22bb7328c78d439b3340f0b2368c8ec70649d406737a66e4e7b937a1bdf5e002a6703a0a
SSDEEP

49152:Wpa0rE0om3z7pU9Sz0HiXXjwwv8Jrl8CxdXIXR7AUU9Sz0HiXXjwwv8Jr:Wpa0Lom3z7pU9Sz0UXjwwv8Jr+sdXIh+

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/412-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00090000000233b1-12.dat	upx
behavioral2/memory/4324-13-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3368	4324	WerFault.exe	83
1252	4324	WerFault.exe	83
3504	4324	WerFault.exe	83
1524	4324	WerFault.exe	83
1948	4324	WerFault.exe	83
3160	4324	WerFault.exe	83
1912	4324	WerFault.exe	83
3308	4324	WerFault.exe	83
624	4324	WerFault.exe	83
1568	4324	WerFault.exe	83
1648	4324	WerFault.exe	83
1108	4324	WerFault.exe	83
4312	4324	WerFault.exe	83
3408	4324	WerFault.exe	83
1524	4324	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1804	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
412	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
412	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4324	412	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	83
PID 412 wrote to memory of 4324	412	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	83
PID 412 wrote to memory of 4324	412	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	83
PID 4324 wrote to memory of 1804	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	84
PID 4324 wrote to memory of 1804	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	84
PID 4324 wrote to memory of 1804	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	84
PID 4324 wrote to memory of 1432	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	86
PID 4324 wrote to memory of 1432	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	86
PID 4324 wrote to memory of 1432	4324	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	86
PID 1432 wrote to memory of 4988	1432	cmd.exe	88
PID 1432 wrote to memory of 4988	1432	cmd.exe	88
PID 1432 wrote to memory of 4988	1432	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe" /TN IpGA05kf87aa /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN IpGA05kf87aa > C:\Users\Admin\AppData\Local\Temp\H2hvYLwUs.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN IpGA05kf87aa
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 616
    3⤵
    - Program crash
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 628
    3⤵
    - Program crash
    PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 716
    3⤵
    - Program crash
    PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 720
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 744
    3⤵
    - Program crash
    PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 780
    3⤵
    - Program crash
    PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1392
    3⤵
    - Program crash
    PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1492
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1548
    3⤵
    - Program crash
    PID:624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1588
    3⤵
    - Program crash
    PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1552
    3⤵
    - Program crash
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1748
    3⤵
    - Program crash
    PID:1108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1556
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1548
    3⤵
    - Program crash
    PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 712
    3⤵
    - Program crash
    PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4324 -ip 4324
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4324 -ip 4324
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4324 -ip 4324
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4324 -ip 4324
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4324 -ip 4324
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4324 -ip 4324
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4324 -ip 4324
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4324 -ip 4324
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4324 -ip 4324
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4324 -ip 4324
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4324 -ip 4324
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4324 -ip 4324
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4324 -ip 4324
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4324 -ip 4324
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4324 -ip 4324
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Filesize
2.0MB

MD5
c2a2adb6bdfc129db4a912b759e0ea1a

SHA1
7420b9938a064fe6ba978653dbca6201840b55f9

SHA256
f6df9fc6ba490fa8fc2c4e6a2a847f44cddb7c37171068f17b6d902ebf2b5486

SHA512
0270b9fe4849c608a7e211d276322474bb0ffb52a1e80ed55edc4d909bc1ca9bcf5f7d6d2ab08018023ecf87f6340e33cdac4975ff92304485c5d2fd42b140c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2hvYLwUs.xml

Filesize
1KB

MD5
62fd28b0116371fe4a0a8117a3f6749d

SHA1
2a21f17afa6f56fe07f935538d44bf6209270921

SHA256
816cd66502455d5849c6120f018b9d4d3747c78a529a7906e720ed4a4472a201

SHA512
3f9aa3262b55768137f0febd8a1a7bf0ac3e0d706629f1ae0c9ba7f540b243712bcbccee09a9ecd15c65e6b16b170c090089e6baee2815972a7d36ab81350fc5

Download Submit
memory/412-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/412-7-0x0000000001750000-0x00000000017CE000-memory.dmp

Filesize
504KB

Download
memory/412-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/412-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4324-21-0x00000000016F0000-0x000000000176E000-memory.dmp

Filesize
504KB

Download
memory/4324-13-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4324-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/4324-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4324-38-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads