1e3dabce3c3fed5c436e324c353f1be38be6aea29aac90db3c2d9c6dd066e00c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
Size

250KB
MD5

0840f2a5075f1bb3ed2c1ad89a47057b
SHA1

81752d5ffa1933433f009a9bb8cc9ac1ad2490b5
SHA256

1e3dabce3c3fed5c436e324c353f1be38be6aea29aac90db3c2d9c6dd066e00c
SHA512

ba9acfbcfb8d5c278e0b3001087cf787fd85837aa02a6a40b38605ce9096b6d7c0ec47c184c3cc8faf3dc4f5843bf01e48f9d8622b0fd57036302fc74bacea79
SSDEEP

3072:rQpH1+b2BUFjoVYAeHV0pkXtV1YrrTsGAEGZqFNLzYNXLXC7arPYbBfeQwwgAnA:k6SBgjiYKk9yIGAJQFmTqSoxeQQyA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	server.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	3008	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
2792	DllHost.exe
2792	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3008	3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe	30
PID 3064 wrote to memory of 3008	3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe	30
PID 3064 wrote to memory of 3008	3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe	30
PID 3064 wrote to memory of 3008	3064	0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1696	3008	server.exe	31
PID 3008 wrote to memory of 1696	3008	server.exe	31
PID 3008 wrote to memory of 1696	3008	server.exe	31
PID 3008 wrote to memory of 1696	3008	server.exe	31

C:\Users\Admin\AppData\Local\Temp\0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0840f2a5075f1bb3ed2c1ad89a47057b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Winter.jpg

Filesize
103KB

MD5
2ba72260cb3b220cf9b1d642e714256d

SHA1
be960b7022035eca8b287904c738dc6fcde6ee91

SHA256
fd696cdcd2200799e819b7ff08ed62208099d3e6606772ad9f43aeb14f3f7804

SHA512
03b7da6d16fdaf7a5ace1ee1aee8202aa462fdff26ace5ccef3bbb4aaf90269e4aa3d3fbb21ce9a2944d47639d47ba8e4e7861ad0f2d6460e1e1a4a3b1c1f52c

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
6KB

MD5
a478e9681c5161a9150454214f8c2723

SHA1
e0e49f5f3bb53c5c3aef1c9cdc6f8ca261448767

SHA256
0fc11d42a05310e51e0fe8c19d0e7bd9c3757c0ac309cce7b123f7dfde0927fe

SHA512
2d99bd773363fd05501394921a50d587ad376f9cb39d243082fe0bb9d3a4775c9cf762dfc4e98315580110b5597c8c3d9150c002a1eca3a2293237149a99e927

Download Submit
memory/2792-17-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2792-19-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2792-22-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3008-21-0x0000000000400000-0x0000000000401800-memory.dmp

Filesize
6KB

Download
memory/3064-16-0x00000000031D0000-0x00000000031D2000-memory.dmp

Filesize
8KB

Download