4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe
Size

6.6MB
MD5

e4ce16957129f0ce094c9eaae8672333
SHA1

aed6f0d4abb26ee4df7814a14fa59fcb0fb2f013
SHA256

4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d
SHA512

c6c51a3345c191ef694b595406665e9b31ba935de10dcd6be7c6bcf46c158a4a5e58b5e21ebd59a15207dec2feb7a45ddfbb8d6ba21f56c57423bd895c63228d
SSDEEP

196608:NERwPy8YGUdxPSgB/aSoJxJgczOLX5UNm2m31BNL/Ys2tIs+:KRwK8YGMq+V0D7zOL/1BNLgfIP

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1868	OneDrive.exe

Loads dropped DLL 8 IoCs

pid	Process
2380	AppLaunch.exe
1868	OneDrive.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	REG.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2688	REG.exe
2896	REG.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2508 wrote to memory of 2380	2508	JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe	31
PID 2380 wrote to memory of 1868	2380	AppLaunch.exe	32
PID 2380 wrote to memory of 1868	2380	AppLaunch.exe	32
PID 2380 wrote to memory of 1868	2380	AppLaunch.exe	32
PID 2380 wrote to memory of 1868	2380	AppLaunch.exe	32
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2896	2380	AppLaunch.exe	33
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 2380 wrote to memory of 2688	2380	AppLaunch.exe	34
PID 1868 wrote to memory of 2604	1868	OneDrive.exe	37
PID 1868 wrote to memory of 2604	1868	OneDrive.exe	37
PID 1868 wrote to memory of 2604	1868	OneDrive.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c0e74a2eb39808b4abd6107e7dcc17a27d9b80d014aac1fedf58e8fda231c9d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1868 -s 736
      4⤵
      Loads dropped DLL
      PID:2604
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2896
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\0VcCIIe882cZkd_s

Filesize
133B

MD5
5f89cb4698960c45e93ff1c3a488b605

SHA1
bab8de233798a74811f3f5696828b9b6fb85f5e1

SHA256
4bfe4f78be10008db87521ff442a9aaf856853cc8cd50e7fcce0138751950e39

SHA512
e9a0aae7d13663391c6d5e8442109371c10568b2dba25ceacb8838abd2860ca45b5832f6a478f160a360b445d6c194e55d5a8ef43b27b684c489f434468a39db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll

Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
175KB

MD5
f3af73070387fb75b19286826cc3126c

SHA1
7774854137d7ada89f3b4bdf67631456a1e74853

SHA256
974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

SHA512
a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

Download Submit
memory/2380-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-10-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2380-3-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2380-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2380-11-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2508-1-0x00000000001D0000-0x00000000002D0000-memory.dmp

Filesize
1024KB

Download