Overview

overview

7

Static

static

3

572c75f432...18.exe

windows7-x64

7

572c75f432...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 11:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    572c75f432ddf21d08678ba513aeb116_JaffaCakes118.exe

  • Size

    367KB

  • MD5

    572c75f432ddf21d08678ba513aeb116

  • SHA1

    82fdb0646a3c5a21a56ef25c9a529090c46ad45c

  • SHA256

    e623162e221ecec4abae9af6e4ed255dff2e4a065d2e55b8511e231e44a44d33

  • SHA512

    34423c93d08f1724de5c57ab516d3eeb79c2e694fb91b7cece18cd33f4c710f4e0bd37eb99c2d70441c9252ef417a15e206b23f47f05562d2a85d90400f542b2

  • SSDEEP

    6144:E0evR/Rkt0J7NXyJUeRwITb4i/oDrI/z/geVLNt6SvJqb:E0qmt0J7YJrHoKzjVLNvvJqb

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\572c75f432ddf21d08678ba513aeb116_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\572c75f432ddf21d08678ba513aeb116_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 288
      2⤵
      • Program crash
      PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\DELME.BAT
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2912
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
    1⤵
      PID:5032
    • C:\Windows\cvshost.exe
      C:\Windows\cvshost.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 280
        2⤵
        • Program crash
        PID:4384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4444 -ip 4444
      1⤵
        PID:3216

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\DELME.BAT
              Filesize

              218B

              MD5

              498983be5aacc17672b90490dda044b1

              SHA1

              b442b1aa62fab4b3123e8b203e3f1cb764aaab98

              SHA256

              c9ed1146a5d72569313a91a969e2ba63b8501322b6e3138447467ff0f00d712b

              SHA512

              d3f72c29739b13ec45f46d68d08ba2f1ce7310df71846150a79fd0c5320d8b891a90f3e2671a815855bde53dda91952d12f560d502ef140927bf2575668cc9db

              Download Submit

            • C:\Windows\cvshost.exe
              Filesize

              367KB

              MD5

              572c75f432ddf21d08678ba513aeb116

              SHA1

              82fdb0646a3c5a21a56ef25c9a529090c46ad45c

              SHA256

              e623162e221ecec4abae9af6e4ed255dff2e4a065d2e55b8511e231e44a44d33

              SHA512

              34423c93d08f1724de5c57ab516d3eeb79c2e694fb91b7cece18cd33f4c710f4e0bd37eb99c2d70441c9252ef417a15e206b23f47f05562d2a85d90400f542b2

              Download Submit

            • memory/1968-0-0x0000000000400000-0x0000000000401000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1968-1-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/1968-2-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/1968-12-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/4444-7-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/4444-8-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/4444-9-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download

            • memory/4444-14-0x0000000000400000-0x00000000004CA93A-memory.dmp

              Filesize

              810KB

              Download