be52c0df937dcd1e6e17ad9ff055eead157ef3ae5e7e5aca16ff8742a885d2ff

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe
Size

137KB
MD5

87ee6c35e9de439e1d534dd40897959f
SHA1

a1897cd6fc9a19cc6b0b4d47cfbbd73849bcdce6
SHA256

be52c0df937dcd1e6e17ad9ff055eead157ef3ae5e7e5aca16ff8742a885d2ff
SHA512

09eb715286ecb9cc234d857f24c60229cd6e19f4792dd4ae6934cd37e1d62423049240d2bffa1659ac88d275783cd6149d3779b80b6ed1e8d8f2cec275bd3780
SSDEEP

3072:94lVOE47G2GlLAmWzJ2IASvwmPRjk3BDmCYxQJhdzJbPIZutOr:9bE4zGlLiz7Hvwm4MAhdzJbPfsr

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	1528	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2540	1528	87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2540	1528	87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2540	1528	87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2540	1528	87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87ee6c35e9de439e1d534dd40897959f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 240
  2⤵
  - Program crash
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
b04ba45dbaa42ef8aecb7c980ff5c38b

SHA1
af33d5fdcbdf81497c52261a8efd0c32f98e21e6

SHA256
a6ad3b1f4e1f1a4a7d06cbef9f44b3d7ab59b9e7195336d45b253baa1417c89d

SHA512
67180b0197939b7e1bdde4def25adc908310a075594e180d46b84ecf2624d7ca2a4e61822cdfe7b9ae184835cc461661d1ddfb682bb6adf24c29b98469b95c77

Download Submit
memory/1528-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1528-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download