817b70caafe0376891c25a4d0da0a56be98407713d771f99b49aa1d31e51dd9c

Analysis

max time kernel
130s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa59709fa2c2b4d7d36e78b1d44355e2_JaffaCakes118.dll
Size

87KB
MD5

aa59709fa2c2b4d7d36e78b1d44355e2
SHA1

7e925ef83a67150f9335df0fb77eea97be7cb58d
SHA256

817b70caafe0376891c25a4d0da0a56be98407713d771f99b49aa1d31e51dd9c
SHA512

67baf9c1bc40a9099a4530e1aded2dd0b680b495abe1b20d2fdde436fb85eb91be7f78ccc399880aa20637e7dd36c252c01c6932dc66e70b42db5c996cc78c2c
SSDEEP

1536:gAoJ05dbKXYh/pyNm6ra+Qafh67nSv3R2cIfzWqC:wJ05dbKS/pv6TQshzIf0

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1016	4504	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4504	4228	regsvr32.exe	85
PID 4228 wrote to memory of 4504	4228	regsvr32.exe	85
PID 4228 wrote to memory of 4504	4228	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa59709fa2c2b4d7d36e78b1d44355e2_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\aa59709fa2c2b4d7d36e78b1d44355e2_JaffaCakes118.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 596
    3⤵
    - Program crash
    PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4504-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download