d32ee6a01a7fc4507cba98d4198743c2abc7826c4348572166e1f77c2b23522f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe
Size

36KB
MD5

55e1bab60c0fb72865e94941a39e6488
SHA1

fa93bcaef8351e03670f427d7a811af44511a08a
SHA256

d32ee6a01a7fc4507cba98d4198743c2abc7826c4348572166e1f77c2b23522f
SHA512

5e464d8c73eb4edcc5eebf30a3f0dea4bb8facfad99dd7ab3282dbdaf96a1c54b42bb01f6eda102143cb2556e36ea9490ce3c8e3c87bb1e18d9e3b36a8f34822
SSDEEP

768:OLvqk3WDdgZJ/UHSK7u2UL99pQw0GSXYn9ieDDk3iQ0U:OLj3WDk2HSOuB5bQjucH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2428	ll.exe

Loads dropped DLL 6 IoCs

pid	Process
2168	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2428	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ll.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	ll.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2428	2168	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2428	2168	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2428	2168	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2428	2168	55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2772	2428	ll.exe	33
PID 2428 wrote to memory of 2772	2428	ll.exe	33
PID 2428 wrote to memory of 2772	2428	ll.exe	33
PID 2428 wrote to memory of 2772	2428	ll.exe	33

C:\Users\Admin\AppData\Local\Temp\55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55e1bab60c0fb72865e94941a39e6488_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\ll.exe
  "C:\Users\Admin\AppData\Local\Temp\ll.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1088
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ll.exe

Filesize
6KB

MD5
75a59661dcc877abe85f48593be9707d

SHA1
c69c63404efe58c425473898579ce1c80bc3f83f

SHA256
482753e987fcff914a06ba8779da86b8303b88e819198534881ce779835e6732

SHA512
98cd8b000f401bec82ab2640d2227f6ba5af866262a83d773c5eeacca290fee68c7137b7a3469d15ef78c0af8a1b0cb8555d250aade17c3767351b52be28fbec

Download Submit
memory/2168-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2168-2-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-11-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-10-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2428-13-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-12-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-19-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download