a82cc1dff0d94c84798e39d7bba5d55f59f316046fbd8c722fe9c71284178823

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
Size

392KB
MD5

8272089d6a0fe6dd903531c779578b1d
SHA1

1f014ce20fcf0b0cacdb907ab87e7bb3a5b1e12a
SHA256

a82cc1dff0d94c84798e39d7bba5d55f59f316046fbd8c722fe9c71284178823
SHA512

f8c87776c4a5a65a3baf8f95c0e11b1b23b9f20d81816a931b6b9dc1856c71ea8a3f506e1b9990a9d4857e9c61fbcc653974ee659aa455a822a4ffdd08010caf
SSDEEP

6144:6f6jF+zxLYCyBXdkzM7YNHomgpKc3mFaLqw5OTwSEAg8tQbqD/7FSW7TLG:wb1EPNgM7CYp8CZdAg8tGqP7nG

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\W:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\Y:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\J:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\L:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\M:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\S:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\A:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\H:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\Z:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\R:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\V:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\E:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\G:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\N:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\O:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\U:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\X:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\B:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\I:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\K:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
File opened (read-only)	\??\P:	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
540	8	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 988	8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe	91
PID 8 wrote to memory of 988	8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe	91
PID 8 wrote to memory of 988	8	8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8272089d6a0fe6dd903531c779578b1d_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 288
  2⤵
  - Program crash
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1Rom.dmp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 8
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
3a16ce313f0aedba14943c83ef4a853a

SHA1
e3d635fcf3471a638153e8756da3d3e06cf102f1

SHA256
0d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d

SHA512
a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
memory/8-10-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-12-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-35-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-5-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-4-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-3-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-6-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-32-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/8-0-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-13-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-11-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-7-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/8-31-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/8-27-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-28-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/8-30-0x0000000002280000-0x00000000022A1000-memory.dmp

Filesize
132KB

Download
memory/8-29-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/8-26-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/8-34-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-33-0x0000000000494000-0x00000000004A0000-memory.dmp

Filesize
48KB

Download
memory/8-2-0x0000000002280000-0x00000000022A1000-memory.dmp

Filesize
132KB

Download
memory/8-9-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-8-0x0000000000494000-0x00000000004A0000-memory.dmp

Filesize
48KB

Download
memory/8-36-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-37-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-39-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-38-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-40-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-41-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-42-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-1-0x0000000002280000-0x00000000022A1000-memory.dmp

Filesize
132KB

Download
memory/8-55-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-56-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-57-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-58-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-59-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-60-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-61-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-62-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-63-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-64-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/8-65-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download