353209ec381a541b54e82c9f99cc5e79249424e9807f3edb0b6fd317197355d5

Analysis

max time kernel
135s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
Size

212KB
MD5

76fb0258a46f488b657825f1213e1481
SHA1

afda65bd039d34e6040acc60dd414ff977afde73
SHA256

353209ec381a541b54e82c9f99cc5e79249424e9807f3edb0b6fd317197355d5
SHA512

8cdef2631f625a96a9bef062bdf5a6e97be3fe11590ebf075afe94234781176de4c0a0fd61c40a6686f3edaa4053cc27ce3e133456c08eeb63abe2d175c83b99
SSDEEP

6144:2A2efs4qPdLrS6js1YeGjMc3tKf4T5Y59:h2PVBg2eGjASY

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3236	4564	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86
PID 2240 wrote to memory of 4564	2240	76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\76fb0258a46f488b657825f1213e1481_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 328
    3⤵
    - Program crash
    PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 4564
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BHNADF17c7l.txt

Filesize
2KB

MD5
4c2de3b8fed6dda3c60a981c51678180

SHA1
02800e4ce657554c9f78bece0b39dd91b6134db6

SHA256
859db080985d921fcecf929554ac10582a49073b22910b3b9fa297ead1422828

SHA512
10b5d4ab07f61783db34c6af8f1675435cdc2c81668884cf0bb110517843c16972bedb025195b79553dc15c5f9c1684e730303d562d467bd33faafee004144b0

Download Submit
memory/4564-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4564-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4564-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download