5f5b2131c268203dd564f7f3cddee6a484c202eb549d43ffe6e210a2bc881250

Analysis

max time kernel
136s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 09:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe
Size

25KB
MD5

736d64761014116fd3e4f03088fe2c15
SHA1

0d909a5cf976c60d08bddb2114efb3338d6253bc
SHA256

5f5b2131c268203dd564f7f3cddee6a484c202eb549d43ffe6e210a2bc881250
SHA512

eb05134284ee0d67946b093458f5f1a27cd07f5fc4760bd514173837b338df0352379bc247af23f69e15b36c326e66200adf108362ba2b849c703e3c71fc8123
SSDEEP

192:iOovrqyS06V/YJs0nuVoeVqFow6G7e2B0pZHaDBYwrBR+lF0VoSN/5G9wywaqL/8:lMuX5oF/DBYyBRzN/5G9wpL0lHipIp

Score

3^/10

discovery

Malware Config

Signatures

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2520	3112	WerFault.exe	83
892	3112	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3112	736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe
3112	736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\736d64761014116fd3e4f03088fe2c15_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1088
  2⤵
  - Program crash
  PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1248
  2⤵
  - Program crash
  PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3112 -ip 3112
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3112 -ip 3112
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\showthread[1].htm

Filesize
18KB

MD5
ec48c38aa8121a36b23ca65f43f73dce

SHA1
f8b825bf0fc85e847a8fad98a6e0beb33db32c62

SHA256
00c24a3b4b84e104ab3902efcb91ddad64ad512ff66699ff7a926a7686ea8caa

SHA512
72c5d475fe41b57d929b22b1ccbb8bd4aced714ece264e2080579cb5a90c0678328aa3ce61b9b7da74fa3ed9fa031ae4cf5f2ef5a59b84fbbc836365ab1765dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#906D.tmp

Filesize
18KB

MD5
dd3c442ecd215f7937662d12108f8b1c

SHA1
9a8d0f27476c9c02bd822e66f4b9b3f0edc536f0

SHA256
0d215b8b4704fa69983488e65bd0e45cf5dcd3a32882baf2a791482ca62fc418

SHA512
e93d1a5d07193c0914a2c36f8c1d1bff86700b21f0f9ed5cc2c54acfcf337e0e9972964b1f2b52c8b0ea33461f50d5e9267406c5a335cfe6260ec4a6de9af328

Download Submit
memory/3112-0-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3112-283-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download