ec46c7750feba7159db58cb5fe92fb0a8bcf3dce2731bdeb924588a3ce8cf44b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
Size

690KB
MD5

cf4f354b5298c91cb9a9470c955cebf0
SHA1

3c8d10652817debfce92d783b367579b1f56523c
SHA256

ec46c7750feba7159db58cb5fe92fb0a8bcf3dce2731bdeb924588a3ce8cf44b
SHA512

3d59081314c3535488589656760ee476002953687b656383eb21c30e2073eeae6af0435ff215e4eeed568c4e5da879c89af235a3737aa9291b539eebed7cb0df
SSDEEP

12288:3czJJhqrVPlyfsOQaoBOgKL9EwqHpYs6RbkuXoXfirZxrOKh5jMHjcAMf:3czJKVd+sOjoBOgi9EwepYsYXoXK1VhR

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	easy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\wexplorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wexplorer.exe"	easy.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\The Dark ICQ Hack.exe	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
File created	C:\Windows\easy.exe	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
File opened for modification	C:\Windows\easy.exe	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
File opened for modification	C:\Windows\easy.exe	easy.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259445590	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
File created	C:\Windows\The Dark ICQ Hack.exe	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	2608	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	easy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	easy.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2608	1488	cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe	31
PID 2608 wrote to memory of 2336	2608	easy.exe	32
PID 2608 wrote to memory of 2336	2608	easy.exe	32
PID 2608 wrote to memory of 2336	2608	easy.exe	32
PID 2608 wrote to memory of 2336	2608	easy.exe	32

C:\Users\Admin\AppData\Local\Temp\cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf4f354b5298c91cb9a9470c955cebf0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\easy.exe
  "C:\Windows\easy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 260
    3⤵
    - Program crash
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\easy.exe

Filesize
585KB

MD5
13c8107165339f3658dac5154cd62b53

SHA1
6837e58354809491995141c0049011d1f3929202

SHA256
92ab5119de02d820119c19a42685776508aa472fe88486cb42643905486012db

SHA512
086cc5fca113dfc010f2519d4bb13d227923f7eeb91d4f9393abbc7d0e40691e7247e0679d7563608788183177a332478479b3edf6d48e07bc957a5feacdbf95

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads