4f3cbd590058bf2e510c217fb60cb8ac5d39e661106eb84216df3761c24c46c0

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
Size

26.1MB
MD5

723a69df9c1ba18ca42f48067bcc3c43
SHA1

8b061eaeec190dc7c43d2ff79b6aa3baea8de656
SHA256

4f3cbd590058bf2e510c217fb60cb8ac5d39e661106eb84216df3761c24c46c0
SHA512

462ff8989f5fddc5c01c1b191c38678d966f96b9ee12cd9c608a6501ad183c5af70e3b7dc88bf760b104adc59234249a66219078e23326b1d9980b30487777f7
SSDEEP

786432:bWKdCdOikWfieX4zdg0CewOCpnUZrabI5WF80QaRL:vdCd1kW/cd0pbbICVV

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4584	1336	WerFault.exe	83
3664	1336	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1336	723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\723a69df9c1ba18ca42f48067bcc3c43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1116
  2⤵
  - Program crash
  PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1116
  2⤵
  - Program crash
  PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1336 -ip 1336
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1336 -ip 1336
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GMSkin_Image_2012_v1.zip

Filesize
1.4MB

MD5
64926a198d0478ee03acbfbe45dffb3e

SHA1
bd1f17f27a182e247a7ab999e1a589f836742cf6

SHA256
0346ae6a91eb9327dc30c05a8b0f982e7ff042a34123f68e09143b66cd21fa0d

SHA512
63cd9e9857fe4b1cdb04ee12f4314a36b5d31bfa25e5aa14b3b75705bd6bf5fb582a9973e804ab97c24e3777c7a63eaed9aa60bdc689c9d66fcebf3334615f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\K8Skin.dll

Filesize
200KB

MD5
993769b2dfcd636e44d1b172153e93cd

SHA1
9f50f10b368d1aa5a3c0b62b186e17bfdc777bb4

SHA256
87ef39ea75bfaa0df277bbc838b57449c7fdc2d4d0512f8eade3ff8f1be4e9e7

SHA512
5de33a662cbc368a35784e05b4ce99a5fa1db94f92724eea763bd3cf000a25adaeb85903057ca4e27fc28110cd476a1d627f142894754d7dfea048f4a57f3277

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqA087.tmp\K8NsisExtend.dll

Filesize
180KB

MD5
bb2a8e03b4e1513a9a3b53a781944463

SHA1
d92d9a38c426038f3f7c1c7b2b8db1ac7d41458e

SHA256
a5316412cd439f8c3e65c5287c8199d1a8e0b5c9a326235cbe591a208318fb0b

SHA512
cef2b8dd42f4d4f4c3fd2c13f2f58a202ece732356a2f123cabee3e6d948aa2ac5c0ca30af10c896ddbf67f1503e1ce8f54ed8718ab6bf8a450ccc22de34dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqA087.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqA087.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/1336-12-0x00000000022E0000-0x0000000002314000-memory.dmp

Filesize
208KB

Download
memory/1336-42-0x0000000002340000-0x0000000002371000-memory.dmp

Filesize
196KB

Download