Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 04:38

General

  • Target

    dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    dfe9edfceb1ca6ebb94dd18919bfadeb

  • SHA1

    178d4e316cdd7b707089928f6beaa91314eec834

  • SHA256

    5c64f7f80b09582f6ad8049c4b7e9ea5ab62006630df5941a6733544fce5940d

  • SHA512

    602746e05e90aa48288658bd97df8488a443d82c7f808294bb946435a1c8fcaa715e42711a62a4e455a5f8a918c3169aedabed7a073e1a66e959c2aab3e8071c

  • SSDEEP

    24576:u2EBg1IYJE7MyO1RnYBRIKJhbO+jqM72mKePXVhZU0WABFlPF:S4JE7MRjYBRIKJ5Osr7cMFfU0nBFNF

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\morena.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\morena.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORENA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORENA~1.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stub.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stub.exe
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • System Location Discovery: System Language Discovery
        PID:2448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 588
          4⤵
          • Program crash
          PID:3412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2448 -ip 2448
    1⤵
      PID:2836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORENA~1.EXE

      Filesize

      1.7MB

      MD5

      0d2c9d82d65344ffd4411fc43e5035db

      SHA1

      9ddec8a3b866f86abeda3aec706df50b9857fd40

      SHA256

      11213144f3a0dc778cc1bedca3405720f27d068404debe849ebd505ba62da13d

      SHA512

      918e6a61e7f116f9e8610980fd2c4ea7cea733333e0a0310c829e5f0bb61a6a46def8c49b267c7ff9ee85374c27c3c4fb2fa418afc1466eace51411956c9f7ef

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\morena.exe

      Filesize

      170KB

      MD5

      707e13901eefb28204e1eea7806d27c2

      SHA1

      053f829fb78e8b8898ba4a4a7680dde21bb857cb

      SHA256

      4b85fc047bc52b4ea993669a71f77c5ef08ded1336c6d2f7ccca44617b4f0cab

      SHA512

      3359258f4f39aca48bddbb9cb9b78d7b1670ad7c6cb3205f64861fc54fef65bcf3cccc2809a9f6876a586cafcc88ed755fbc22e349a1bd5201f291413d485169

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stub.exe

      Filesize

      741KB

      MD5

      f0c3d1dc95d0317ad9f7c847a0774d96

      SHA1

      bdf81b0af7f773981b70125d2269408066e44c14

      SHA256

      13fc3642c88957d237e79eda353b413f17047b76da76988679124ea06260af31

      SHA512

      89e14ed790dd87598da01e8267da0c7cd8d88b0dde0dcd9cc77e41e6abdca948916119c0bc839636cadefecc96b6b4d6a05099aa36df231cdc3dfb98a60d494e

    • memory/3236-10-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/4552-0-0x0000000001000000-0x000000000115A000-memory.dmp

      Filesize

      1.4MB

    • memory/4552-20-0x0000000001000000-0x000000000115A000-memory.dmp

      Filesize

      1.4MB

    • memory/4856-13-0x0000000001000000-0x00000000010CF000-memory.dmp

      Filesize

      828KB

    • memory/4856-21-0x0000000001000000-0x00000000010CF000-memory.dmp

      Filesize

      828KB