357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Size

1.0MB
MD5

09f8745d138f25e807860f9f7bb16d0e
SHA1

4f3d20d1b0b745d0857121d4036fd1b95ddd722e
SHA256

357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca
SHA512

f732e6a8068033fa282abe3447c891e2276f711f805ae6f110f830d1f933c1181011b975c33335b4596d220b9650e0478d4f73d3f37f333e75a11b0f02c27d7c
SSDEEP

24576:0ty/AMkERzF1fcEdN+ZQVZXBM348cBscckNvLSbgpMSLz+jJtdtvgw:0LEH1dfVF2I8uscckdLSbgpMk+t1gw

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3996	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1020	3996	WerFault.exe	82
2936	3996	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
3996	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3996	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
3996	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3996	1856	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	82
PID 1856 wrote to memory of 3996	1856	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	82
PID 1856 wrote to memory of 3996	1856	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsaA0C6.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsaA0C6.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2340
    3⤵
    - Program crash
    PID:1020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2364
    3⤵
    - Program crash
    PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3996 -ip 3996
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3996 -ip 3996
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\$IPMRWDC

Filesize
98B

MD5
3d7eeba76dec153a982ce6fae294ff5a

SHA1
51863b61f172e90f2ead4f3f975c8ed5eba8490d

SHA256
c8458c43572306ccd2506456a17c586abe20f8d45a56d547848e60157a026c31

SHA512
5138b25dd4e717b2289fb31c08dc0954ff6914d351f011ffd81c52b86bcfc88d41ada11a33af50b1e306b51b4783db9235ce6cf6e1504c9a62174320bea47241

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D61181D97154EBC85E423D7A41BE169\8D61181D97154EBC85E423D7A41BE169_LogFile.txt

Filesize
670B

MD5
44fd0463ff57f7e33b7140a2bf8a88db

SHA1
dddc0ebb2df50471e4432cc2d152c3acb3af272c

SHA256
59c5fd6ebd303f70ab3a83c0afbc6ea17fc2fa8f12c28ffe44811e09867c8837

SHA512
fca6894e5802870a9609790ed388db5de5452b9dd2f17d0e54210b2041f4987d2a1f71b02a82d9d63572495fd808f8783c90db8be93856d61d1c269fdbcdff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D61181D97154EBC85E423D7A41BE169\8D61181D97154EBC85E423D7A41BE169_LogFile.txt

Filesize
2KB

MD5
9598e8c65fe70f01561a709b87f337de

SHA1
eb38dd3d461274bed1e06bc7d1b0f7ef382a544a

SHA256
ccdf6a581c2287c2efe760acb2d4fcb1ce4da0c9ca19437b4fcac35c6f4c86af

SHA512
f537a292806f395e154db79d7298d0f649fe6bdaa1449849250aebb8d09f407e7f79a3bdb4a9fe7c6be4aaeff002f68bf446e80ed98df55faf5869a4d98261e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D61181D97154EBC85E423D7A41BE169\8D61181D97154EBC85E423D7A41BE169_LogFile.txt

Filesize
3KB

MD5
bde4ebf8e6b49ab9f9150bed2227ab56

SHA1
a0f2c63bf70b34274f6691fd9c88d807b5d8dd5a

SHA256
0ae0d682607304246666c039dda0dc3fc5a0530477d2432cbf943d30e9bed2e3

SHA512
44ca91e3a69dbd3c047ab5aaa1b7fc6e6e6170ce6e0458473c26682a6b2002998f7423a279939fb6ec6855b0882b47ec83f2db6fa020d8baf7c6c4bb2737d11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D61181D97154EBC85E423D7A41BE169\8D61181D97154EBC85E423D7A41BE169_LogFile.txt

Filesize
4KB

MD5
3b73f82932791fcb6bebc9047aade56d

SHA1
0db38b8b910c1f4fb96eccf86dd3bc36fae5bfa1

SHA256
dd1a2dad81005ecd5bc6ebbb85611f6113b8f586f8c801632a6f0c3dbd64d0df

SHA512
28fb3e50be6e3fb1abdefa72252e324d0e7f7cf6641bce8544f2240bcdd8dc5b288b67417b9a21554a81a3b38a8c005b439503b763f9499c3aa3cfdebfa5849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D61181D97154EBC85E423D7A41BE169\index.html

Filesize
608KB

MD5
1bd69b138c5b77bfc11ef8ef18263a1f

SHA1
0ef81f61b5ff325a5e47e96ff044a5ca2b211bf6

SHA256
ca20e9421c499324bf51a41bb156dc4ebf466b2f279e27059079a07fca0ca8b1

SHA512
e4ee339aefd47529e5f290a4685d2268d189123112e338bd5b397defd9b8679ee3445d2688def20d59fc5f7098055357348406fc1a91decf158bfa5367220e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\fallbackfiles\index.7ze

Filesize
208KB

MD5
75e10bbc4a869080b47c151c05e83777

SHA1
df12169fec3c26da438733ecfc8aad6cbb437eab

SHA256
83f1801408b2592036c221c7cdfd661bc852c06433fa77ce719926bc8195c5f3

SHA512
de850e0a4912aa187869d67d3be0cf87afa2981e8f33e9ab43081b8ceb85ff6780e890483a03df32b3c35409a37cd7909b0d317e3abd9eee9a26dacfbebf6a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Filesize
1.7MB

MD5
2ee2b50b5e4ca76e33244569b962c139

SHA1
2dc786b5da140ba79e6fd6288e8f6c34e0d8dab3

SHA256
d47132aafe3e47d4296266854582c3056bc527efcf2982652bd33e2108255b44

SHA512
cba8d1c5f9ee4102310acf8cb1990952611ccacb82d2ec7fc76741e0651a1569090d09af3408e45c79362d8a22d0643549a38115750de3536edad44241dd2f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_icon.ico

Filesize
31KB

MD5
30430957e675f266e56dac20764c081c

SHA1
18f71953953787795e0b0b32bcc367d23a67b5f5

SHA256
5f281671e0eba3728c0f2d46f05721042c9ea98f5d02791438dbfdfa3e15dba6

SHA512
3a888725349d1b1b9313b62c1666dce55a2132b1d3b4fa9f05bf65c5bb966ebe47ccb42c9f00dded0d0858c4658085b6fbbed601e30edaddc5dcec78266a8fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA0C6.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_splash.png

Filesize
129KB

MD5
86c6e4408d9a14285fe4148f0d4695b6

SHA1
a974a8b1225635490176fe02893dc0395f22bcc5

SHA256
f69c403c12436a163a4f8324562fe45c000f6b6eaf3fe940591b5f296086663a

SHA512
2ab52a54371a34db5aa9c4b2cf1fa60b56e6ca06db1ecf9f6e5d79ce2dd446eb833779e6cacee00e8fb9909882d3ad5495af464b4df4c8d13f73d6935a091ff6

Download Submit
memory/1856-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-74-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download