Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 04:03
Static task
static1
Behavioral task
behavioral1
Sample
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
-
Size
212KB
-
MD5
76fb0258a46f488b657825f1213e1481
-
SHA1
afda65bd039d34e6040acc60dd414ff977afde73
-
SHA256
353209ec381a541b54e82c9f99cc5e79249424e9807f3edb0b6fd317197355d5
-
SHA512
8cdef2631f625a96a9bef062bdf5a6e97be3fe11590ebf075afe94234781176de4c0a0fd61c40a6686f3edaa4053cc27ce3e133456c08eeb63abe2d175c83b99
-
SSDEEP
6144:2A2efs4qPdLrS6js1YeGjMc3tKf4T5Y59:h2PVBg2eGjASY
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exepid process 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exedescription pid process target process PID 2240 set thread context of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3236 4564 WerFault.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe76fb0258a46f488b657825f1213e1481_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exepid process 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
76fb0258a46f488b657825f1213e1481_JaffaCakes118.exedescription pid process target process PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe PID 2240 wrote to memory of 4564 2240 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe 76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 3283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 45641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BHNADF17c7l.txtFilesize
2KB
MD54c2de3b8fed6dda3c60a981c51678180
SHA102800e4ce657554c9f78bece0b39dd91b6134db6
SHA256859db080985d921fcecf929554ac10582a49073b22910b3b9fa297ead1422828
SHA51210b5d4ab07f61783db34c6af8f1675435cdc2c81668884cf0bb110517843c16972bedb025195b79553dc15c5f9c1684e730303d562d467bd33faafee004144b0
-
memory/4564-6-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4564-8-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4564-23-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB