6773ec0b088e735a781b713d27166fbaf926c07ee3f5214e4588f1d55d1439e6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a6f322ab413435206187421a722d43_JaffaCakes118.exe
Size

184KB
MD5

26a6f322ab413435206187421a722d43
SHA1

392e61f5e8c70d6806e9f2b8353be15e4c6f8003
SHA256

6773ec0b088e735a781b713d27166fbaf926c07ee3f5214e4588f1d55d1439e6
SHA512

35ffa7cf10ccfc0584dadd37ad9995ea59bebc61ccd5e0fd0a134f5e16dbe0b593e594e482f31c2011cd019366f3e773c4be6861d494868f460be91fa2e0c5cc
SSDEEP

3072:Ugl2ozmOfYA0rOjEdc1tC8NjFPiF6dDfohDEA8KPpQNlkvpFW:UgwoD50r7dQtC8ZweJNlkvpF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2064	Unicorn-22697.exe
2092	Unicorn-15930.exe
2984	Unicorn-50460.exe
2688	Unicorn-18961.exe
2884	Unicorn-65442.exe

Loads dropped DLL 35 IoCs

pid	Process
1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe
1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe
2064	Unicorn-22697.exe
2064	Unicorn-22697.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2092	Unicorn-15930.exe
2092	Unicorn-15930.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2984	Unicorn-50460.exe
2984	Unicorn-50460.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2688	Unicorn-18961.exe
2688	Unicorn-18961.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2768	1920	WerFault.exe	30
2720	2064	WerFault.exe	31
2612	2092	WerFault.exe	33
2596	2984	WerFault.exe	35
2044	2688	WerFault.exe	37
1972	2884	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26a6f322ab413435206187421a722d43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65442.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe
2064	Unicorn-22697.exe
2092	Unicorn-15930.exe
2984	Unicorn-50460.exe
2688	Unicorn-18961.exe
2884	Unicorn-65442.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2064	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2064	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2064	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2064	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2768	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	26a6f322ab413435206187421a722d43_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2092	2064	Unicorn-22697.exe	33
PID 2064 wrote to memory of 2092	2064	Unicorn-22697.exe	33
PID 2064 wrote to memory of 2092	2064	Unicorn-22697.exe	33
PID 2064 wrote to memory of 2092	2064	Unicorn-22697.exe	33
PID 2064 wrote to memory of 2720	2064	Unicorn-22697.exe	34
PID 2064 wrote to memory of 2720	2064	Unicorn-22697.exe	34
PID 2064 wrote to memory of 2720	2064	Unicorn-22697.exe	34
PID 2064 wrote to memory of 2720	2064	Unicorn-22697.exe	34
PID 2092 wrote to memory of 2984	2092	Unicorn-15930.exe	35
PID 2092 wrote to memory of 2984	2092	Unicorn-15930.exe	35
PID 2092 wrote to memory of 2984	2092	Unicorn-15930.exe	35
PID 2092 wrote to memory of 2984	2092	Unicorn-15930.exe	35
PID 2092 wrote to memory of 2612	2092	Unicorn-15930.exe	36
PID 2092 wrote to memory of 2612	2092	Unicorn-15930.exe	36
PID 2092 wrote to memory of 2612	2092	Unicorn-15930.exe	36
PID 2092 wrote to memory of 2612	2092	Unicorn-15930.exe	36
PID 2984 wrote to memory of 2688	2984	Unicorn-50460.exe	37
PID 2984 wrote to memory of 2688	2984	Unicorn-50460.exe	37
PID 2984 wrote to memory of 2688	2984	Unicorn-50460.exe	37
PID 2984 wrote to memory of 2688	2984	Unicorn-50460.exe	37
PID 2984 wrote to memory of 2596	2984	Unicorn-50460.exe	38
PID 2984 wrote to memory of 2596	2984	Unicorn-50460.exe	38
PID 2984 wrote to memory of 2596	2984	Unicorn-50460.exe	38
PID 2984 wrote to memory of 2596	2984	Unicorn-50460.exe	38
PID 2688 wrote to memory of 2884	2688	Unicorn-18961.exe	39
PID 2688 wrote to memory of 2884	2688	Unicorn-18961.exe	39
PID 2688 wrote to memory of 2884	2688	Unicorn-18961.exe	39
PID 2688 wrote to memory of 2884	2688	Unicorn-18961.exe	39
PID 2688 wrote to memory of 2044	2688	Unicorn-18961.exe	40
PID 2688 wrote to memory of 2044	2688	Unicorn-18961.exe	40
PID 2688 wrote to memory of 2044	2688	Unicorn-18961.exe	40
PID 2688 wrote to memory of 2044	2688	Unicorn-18961.exe	40
PID 2884 wrote to memory of 1972	2884	Unicorn-65442.exe	41
PID 2884 wrote to memory of 1972	2884	Unicorn-65442.exe	41
PID 2884 wrote to memory of 1972	2884	Unicorn-65442.exe	41
PID 2884 wrote to memory of 1972	2884	Unicorn-65442.exe	41

C:\Users\Admin\AppData\Local\Temp\26a6f322ab413435206187421a722d43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a6f322ab413435206187421a722d43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22697.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22697.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-15930.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-15930.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50460.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50460.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18961.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18961.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65442.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 240
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 236
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 236
  2⤵
  - Program crash
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Unicorn-15930.exe

Filesize
184KB

MD5
8c545a0513d670aa8a45b5748d6aa563

SHA1
7212f0b9c665cba080ab1ac25b93292f1adda074

SHA256
254bffdb98aae3e4c9352ebaf54cfbd9b66669063b3859676d2bec9d7c07b47c

SHA512
8a4c648fe71780b44fc8bd734c58eddaba2afd4d0f9e153426c9cc5bf5f8830ccffb8f9df554b02560d4c0b09d667e4ffcffa4579375ed0ffea2fcdbe72a3efc

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-18961.exe

Filesize
184KB

MD5
424927b6803bafdd4521b4a3296f92b9

SHA1
e5d696dc3ee548e5d8a4f3f4fa17d610887bf61f

SHA256
9eed117aa23810cf1a8867687faac41d10dfec6d302cb4f7320c004bfd4d94fc

SHA512
aa0a6b42d1241b8e0ed039c5c746b722b710acab41c3c725e66ffea626a945a8f81eaf72a245228fcd786b36e51ca4bbd35a1173f190f01b1fab2d577e4a58a9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-22697.exe

Filesize
184KB

MD5
6f42216667c2ed559cf1a251dd9a78bb

SHA1
06082b22cdb9410661f9a32d4c9b362d82742b4a

SHA256
3ef58be62684f70cc28197e1fd7c10375abb631fd85ec3feb2763135845c8675

SHA512
468614c9394c8cbd2f156eb33301334acdc4a3501e7978aa5e5443c8987d76ebf6f1f8e301e0d36a42e5c9b3d8d78b89fb3970bfc9b78376bd2706b78ce6a282

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50460.exe

Filesize
184KB

MD5
af5837ff569e4203520a72e0d63045d9

SHA1
cbe3695012baf34a4a584b7f39aec0edee7b7f16

SHA256
3c1cb1fc85751772432a50226409bed524c548ac10904f9077b5e0a422ef37b7

SHA512
d30e7b7f77f58e9fd75ac741702dbc95ab04ad4083fa107a8123fbc97d3bfea307e9629bea917e1ae4236d4342271411e5979e86370e70301934075517b3122f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-65442.exe

Filesize
184KB

MD5
6ae8738834515d7ae02e4eb2a279dc94

SHA1
526c1f6de22fd0c710a101777c5056426fef4455

SHA256
603fdb2045ef9d9a893308f86ffeb025b5c76d2d5ee7803935e47223a2cdc603

SHA512
b1b7f5d095088c4530adbb918eb7522e2e6b73ef7c35b006057a5826d7d53ef221a49f86c4607f4786340061770f4563158ffb8289b6a2d8384630667486757c

Download Submit