1eed612c5913e4300208ec2c7cb2a605c8a07a7b08976bf6432fad3db6b87239

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
Size

61KB
MD5

3116d11e4f737d872b8e7ec21a0a1a9d
SHA1

a18615961435fa1341512547ee8b65afd56ef45f
SHA256

1eed612c5913e4300208ec2c7cb2a605c8a07a7b08976bf6432fad3db6b87239
SHA512

d6a5f0e3921457a1768bf618d34f8c0027a184fe83da396359a60b6fd25b2775ba7acfbfc367f3ad180a5f25d665df00ee183941ae6573461fafee97133341a0
SSDEEP

768:7aA1WnsnY25r38akjPDcoNIruWTLFPLT8QpAp/E7xoiHaW:fWsY2F3Cjpa1/FcQpoif

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2076	loader.exe
2024	rip2.exe

Loads dropped DLL 10 IoCs

pid	Process
2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
440	WerFault.exe
440	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
440	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
352	2024	WerFault.exe	31
440	2076	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rip2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2076	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2076	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2076	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2076	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2024	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2024	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2024	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2024	2224	3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe	31
PID 2076 wrote to memory of 440	2076	loader.exe	32
PID 2076 wrote to memory of 440	2076	loader.exe	32
PID 2076 wrote to memory of 440	2076	loader.exe	32
PID 2076 wrote to memory of 440	2076	loader.exe	32
PID 2024 wrote to memory of 352	2024	rip2.exe	33
PID 2024 wrote to memory of 352	2024	rip2.exe	33
PID 2024 wrote to memory of 352	2024	rip2.exe	33
PID 2024 wrote to memory of 352	2024	rip2.exe	33

C:\Users\Admin\AppData\Local\Temp\3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3116d11e4f737d872b8e7ec21a0a1a9d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:440
- C:\Users\Admin\AppData\Local\Temp\rip2.exe
  "C:\Users\Admin\AppData\Local\Temp\rip2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 68
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
20KB

MD5
ea6bb4057c4479f16a3d3fd8f0dfd88b

SHA1
3485e6ffe9364391f50af029f86ceb797d873278

SHA256
7867bca5013b8433a6c015431c60a5072949ee9a1152d4418bb0e0944b636aa5

SHA512
a4dc7af43495ef1041fd8c9e88e5b0a332ec93f862d9ec4a9976e3b5869f28906a22530388c7eb7ea88795834f572c684ba4f8e96fe4e0f346dc418f8467fa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rip2.exe

Filesize
32KB

MD5
3f10ab38857aa63a9f6a655e48781f4d

SHA1
91eea93d66e3b649a7e3a2d2629a694969ad2cb6

SHA256
613b24ec69a0cdde9645fd3909d05c085d0393b019659db1d34d890974fc81a7

SHA512
1d52f01785bdd90c8756902bfe74486cf3f0642a56922914744258989095ea43b1875360834dd44be4dfb86409b5a7e31a48f6bddd03795593f117f8663ee3e7

Download Submit