Overview

overview

7

Static

static

3

28131be3d7...18.exe

windows7-x64

7

28131be3d7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    28131be3d75a7824c137edb70f1940a5

  • SHA1

    0005a7be8633de2e4b0c8220317c6ac9afaf7cd4

  • SHA256

    d3415b3f45c0cc0149b352f0fbeac0225a98b70a93b99682a5ea346d37f5f204

  • SHA512

    ebbd4d7197f1c7267f04b9ef2efb25749f5015ac2199a08cee958a0e330b9ae9d8fd198bd5d02469e872e5ba82d291f37ed161be86c3b697fbe2495de331d74c

  • SSDEEP

    3072:VTTz7E25tzKGn45kIIerkDcRQHfKlTbNUYdhofDnLNHHn7k+Mfe7qDBhkmwO9JOH:1lGC41kD61SfDLNq8O9J47

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 648
      2⤵
      • Program crash
      PID:3368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 712
      2⤵
      • Program crash
      PID:1936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 856
      2⤵
      • Program crash
      PID:4740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 880
      2⤵
      • Program crash
      PID:1700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 868
      2⤵
      • Program crash
      PID:4488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1016
      2⤵
      • Program crash
      PID:3248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1028
      2⤵
      • Program crash
      PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4592 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\gcnyv.exe -f
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /pid 4592
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2888
      • C:\Users\Admin\AppData\Local\gcnyv.exe
        C:\Users\Admin\AppData\Local\gcnyv.exe -f
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 832
          4⤵
          • Program crash
          PID:2408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 900
          4⤵
          • Program crash
          PID:2452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1176
          4⤵
          • Program crash
          PID:5076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1180
          4⤵
          • Program crash
          PID:1696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1172
          4⤵
          • Program crash
          PID:4028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1208
          4⤵
          • Program crash
          PID:1960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1248
          4⤵
          • Program crash
          PID:1272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 140
      2⤵
      • Program crash
      PID:2732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4592 -ip 4592
    1⤵
      PID:4968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4592 -ip 4592
      1⤵
        PID:2512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4592 -ip 4592
        1⤵
          PID:2260
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592
          1⤵
            PID:5012
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4592 -ip 4592
            1⤵
              PID:4040
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4592 -ip 4592
              1⤵
                PID:2828
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 4592
                1⤵
                  PID:4228
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4592 -ip 4592
                  1⤵
                    PID:2152
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4012 -ip 4012
                    1⤵
                      PID:3992
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4012 -ip 4012
                      1⤵
                        PID:2016
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012
                        1⤵
                          PID:760
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4012 -ip 4012
                          1⤵
                            PID:1736
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4012 -ip 4012
                            1⤵
                              PID:3936
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4012 -ip 4012
                              1⤵
                                PID:1072
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4012 -ip 4012
                                1⤵
                                  PID:2408

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\gcnyv.exe
                                  Filesize

                                  225KB

                                  MD5

                                  28131be3d75a7824c137edb70f1940a5

                                  SHA1

                                  0005a7be8633de2e4b0c8220317c6ac9afaf7cd4

                                  SHA256

                                  d3415b3f45c0cc0149b352f0fbeac0225a98b70a93b99682a5ea346d37f5f204

                                  SHA512

                                  ebbd4d7197f1c7267f04b9ef2efb25749f5015ac2199a08cee958a0e330b9ae9d8fd198bd5d02469e872e5ba82d291f37ed161be86c3b697fbe2495de331d74c

                                  Download Submit

                                • memory/4012-15-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-18-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-33-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-31-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-9-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-10-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-13-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-29-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-27-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-20-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-16-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-22-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4012-24-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4592-1-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4592-0-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4592-2-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download

                                • memory/4592-5-0x0000000001000000-0x00000000010CC000-memory.dmp

                                  Filesize

                                  816KB

                                  Download