54cca7a7bc26fda3b3c9cb56adb911982218a60607163f561b5e7bff03624f63

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 16:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
Size

181KB
MD5

30b9357bd0e3612745585f11af496dd2
SHA1

679371dc4262665d4de5573e4c072b68540f8132
SHA256

54cca7a7bc26fda3b3c9cb56adb911982218a60607163f561b5e7bff03624f63
SHA512

ae5b5a4f2c302701fa7696b095e4043179a9809c7e4d3521c22b37c307710513fb20566800e756342d66fc9f24e6b3fb8936b970be6648d36ff2f865a36ca888
SSDEEP

3072:+qBJnhzFne/uuPpZYlqT+SvA7bQF9Ckc14gA7YMwnN2ko2bLljMULUWnMwKMGVos:+qB1He/uuPpCs94XQmf4hWN623KULDnw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
1884	wuamkop.exe
2956	wuamkop.exe
2944	wuamkop.exe
2776	wuamkop.exe
2608	wuamkop.exe
3056	wuamkop.exe
272	wuamkop.exe
1996	wuamkop.exe
1856	wuamkop.exe
2024	wuamkop.exe
1736	wuamkop.exe
2448	wuamkop.exe
2176	wuamkop.exe
440	wuamkop.exe
1324	wuamkop.exe
1728	wuamkop.exe
2560	wuamkop.exe
2192	wuamkop.exe
2172	wuamkop.exe

Loads dropped DLL 20 IoCs

pid	Process
1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
1884	wuamkop.exe
1884	wuamkop.exe
2956	wuamkop.exe
2956	wuamkop.exe
2776	wuamkop.exe
2776	wuamkop.exe
3056	wuamkop.exe
3056	wuamkop.exe
1996	wuamkop.exe
1996	wuamkop.exe
2024	wuamkop.exe
2024	wuamkop.exe
2448	wuamkop.exe
2448	wuamkop.exe
440	wuamkop.exe
440	wuamkop.exe
1728	wuamkop.exe
1728	wuamkop.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File opened for modification	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe
File created	C:\Windows\SysWOW64\wuamkop.exe	wuamkop.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamkop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1884	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	30
PID 1480 wrote to memory of 1884	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	30
PID 1480 wrote to memory of 1884	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	30
PID 1480 wrote to memory of 1884	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	30
PID 1480 wrote to memory of 768	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	31
PID 1480 wrote to memory of 768	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	31
PID 1480 wrote to memory of 768	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	31
PID 1480 wrote to memory of 768	1480	30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe	31
PID 1884 wrote to memory of 2956	1884	wuamkop.exe	33
PID 1884 wrote to memory of 2956	1884	wuamkop.exe	33
PID 1884 wrote to memory of 2956	1884	wuamkop.exe	33
PID 1884 wrote to memory of 2956	1884	wuamkop.exe	33
PID 1884 wrote to memory of 2944	1884	wuamkop.exe	34
PID 1884 wrote to memory of 2944	1884	wuamkop.exe	34
PID 1884 wrote to memory of 2944	1884	wuamkop.exe	34
PID 1884 wrote to memory of 2944	1884	wuamkop.exe	34
PID 2956 wrote to memory of 2776	2956	wuamkop.exe	35
PID 2956 wrote to memory of 2776	2956	wuamkop.exe	35
PID 2956 wrote to memory of 2776	2956	wuamkop.exe	35
PID 2956 wrote to memory of 2776	2956	wuamkop.exe	35
PID 2956 wrote to memory of 2608	2956	wuamkop.exe	36
PID 2956 wrote to memory of 2608	2956	wuamkop.exe	36
PID 2956 wrote to memory of 2608	2956	wuamkop.exe	36
PID 2956 wrote to memory of 2608	2956	wuamkop.exe	36
PID 2776 wrote to memory of 3056	2776	wuamkop.exe	37
PID 2776 wrote to memory of 3056	2776	wuamkop.exe	37
PID 2776 wrote to memory of 3056	2776	wuamkop.exe	37
PID 2776 wrote to memory of 3056	2776	wuamkop.exe	37
PID 2776 wrote to memory of 272	2776	wuamkop.exe	38
PID 2776 wrote to memory of 272	2776	wuamkop.exe	38
PID 2776 wrote to memory of 272	2776	wuamkop.exe	38
PID 2776 wrote to memory of 272	2776	wuamkop.exe	38
PID 3056 wrote to memory of 1996	3056	wuamkop.exe	39
PID 3056 wrote to memory of 1996	3056	wuamkop.exe	39
PID 3056 wrote to memory of 1996	3056	wuamkop.exe	39
PID 3056 wrote to memory of 1996	3056	wuamkop.exe	39
PID 3056 wrote to memory of 1856	3056	wuamkop.exe	40
PID 3056 wrote to memory of 1856	3056	wuamkop.exe	40
PID 3056 wrote to memory of 1856	3056	wuamkop.exe	40
PID 3056 wrote to memory of 1856	3056	wuamkop.exe	40
PID 1996 wrote to memory of 2024	1996	wuamkop.exe	41
PID 1996 wrote to memory of 2024	1996	wuamkop.exe	41
PID 1996 wrote to memory of 2024	1996	wuamkop.exe	41
PID 1996 wrote to memory of 2024	1996	wuamkop.exe	41
PID 1996 wrote to memory of 1736	1996	wuamkop.exe	42
PID 1996 wrote to memory of 1736	1996	wuamkop.exe	42
PID 1996 wrote to memory of 1736	1996	wuamkop.exe	42
PID 1996 wrote to memory of 1736	1996	wuamkop.exe	42
PID 2024 wrote to memory of 2448	2024	wuamkop.exe	43
PID 2024 wrote to memory of 2448	2024	wuamkop.exe	43
PID 2024 wrote to memory of 2448	2024	wuamkop.exe	43
PID 2024 wrote to memory of 2448	2024	wuamkop.exe	43
PID 2024 wrote to memory of 2176	2024	wuamkop.exe	44
PID 2024 wrote to memory of 2176	2024	wuamkop.exe	44
PID 2024 wrote to memory of 2176	2024	wuamkop.exe	44
PID 2024 wrote to memory of 2176	2024	wuamkop.exe	44
PID 2448 wrote to memory of 440	2448	wuamkop.exe	45
PID 2448 wrote to memory of 440	2448	wuamkop.exe	45
PID 2448 wrote to memory of 440	2448	wuamkop.exe	45
PID 2448 wrote to memory of 440	2448	wuamkop.exe	45
PID 2448 wrote to memory of 1324	2448	wuamkop.exe	46
PID 2448 wrote to memory of 1324	2448	wuamkop.exe	46
PID 2448 wrote to memory of 1324	2448	wuamkop.exe	46
PID 2448 wrote to memory of 1324	2448	wuamkop.exe	46

C:\Users\Admin\AppData\Local\Temp\30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\wuamkop.exe
  C:\Windows\system32\wuamkop.exe 548 "C:\Users\Admin\AppData\Local\Temp\30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\wuamkop.exe
    C:\Windows\system32\wuamkop.exe 532 "C:\Windows\SysWOW64\wuamkop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\wuamkop.exe
      C:\Windows\system32\wuamkop.exe 556 "C:\Windows\SysWOW64\wuamkop.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 560 "C:\Windows\SysWOW64\wuamkop.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 544 "C:\Windows\SysWOW64\wuamkop.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 540 "C:\Windows\SysWOW64\wuamkop.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 572 "C:\Windows\SysWOW64\wuamkop.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 536 "C:\Windows\SysWOW64\wuamkop.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 580 "C:\Windows\SysWOW64\wuamkop.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        C:\Windows\system32\wuamkop.exe 576 "C:\Windows\SysWOW64\wuamkop.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        11⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        10⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        9⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        8⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        7⤵
        Executes dropped EXE
        
        PID:1736
      - C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        6⤵
        Executes dropped EXE
        
        PID:1856
    - - C:\Windows\SysWOW64\wuamkop.exe
        
        "C:\Windows\SysWOW64\wuamkop.exe"
        5⤵
        Executes dropped EXE
        
        PID:272
  - - C:\Windows\SysWOW64\wuamkop.exe
      "C:\Windows\SysWOW64\wuamkop.exe"
      4⤵
      Executes dropped EXE
      PID:2608
- - C:\Windows\SysWOW64\wuamkop.exe
    "C:\Windows\SysWOW64\wuamkop.exe"
    3⤵
    - Executes dropped EXE
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30b9357bd0e3612745585f11af496dd2_JaffaCakes118.exe"
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuamkop.exe

Filesize
181KB

MD5
30b9357bd0e3612745585f11af496dd2

SHA1
679371dc4262665d4de5573e4c072b68540f8132

SHA256
54cca7a7bc26fda3b3c9cb56adb911982218a60607163f561b5e7bff03624f63

SHA512
ae5b5a4f2c302701fa7696b095e4043179a9809c7e4d3521c22b37c307710513fb20566800e756342d66fc9f24e6b3fb8936b970be6648d36ff2f865a36ca888

Download Submit
memory/272-42-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/440-77-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/440-72-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/768-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1324-71-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1480-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1480-14-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1480-1-0x00000000004AF000-0x00000000004B0000-memory.dmp

Filesize
4KB

Download
memory/1728-83-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1728-79-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1736-56-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1856-49-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1884-25-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1884-20-0x0000000002960000-0x0000000002A28000-memory.dmp

Filesize
800KB

Download
memory/1884-21-0x0000000002960000-0x0000000002A28000-memory.dmp

Filesize
800KB

Download
memory/1884-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1884-13-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1884-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1996-50-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1996-54-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2024-62-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2024-57-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2172-85-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2176-64-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-65-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-61-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-69-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2560-78-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2608-35-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2776-36-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2776-32-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2776-40-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2944-27-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2956-33-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2956-28-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2956-24-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2956-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3056-43-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3056-47-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download