25a5fd7ad958549b8e06f720cc3fd30f152490a095c8f3a6f54b909be6fd671d

Analysis

max time kernel
133s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b33dee57cf1d59ae078ba19ac687aac0_JaffaCakes118.dll
Size

88KB
MD5

b33dee57cf1d59ae078ba19ac687aac0
SHA1

fe7324274defb856a5bd86d7d237f283f6226691
SHA256

25a5fd7ad958549b8e06f720cc3fd30f152490a095c8f3a6f54b909be6fd671d
SHA512

0d588e5a7973be8258670e0772e0108e97d408d1bfa4ca72785a0177d3782e87546c369bcb0a87fdb5a445a7b839a16a5d3546414c9eb765e2d8a27d95b95054
SSDEEP

1536:gCdIo0TbOOMz+W1DQtWLYNricR/T/6XW+PKVlQONYnA06k8:7QizfoWsNriWuWLucT

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3108	624	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 624	3680	regsvr32.exe	84
PID 3680 wrote to memory of 624	3680	regsvr32.exe	84
PID 3680 wrote to memory of 624	3680	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b33dee57cf1d59ae078ba19ac687aac0_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b33dee57cf1d59ae078ba19ac687aac0_JaffaCakes118.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 596
    3⤵
    - Program crash
    PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 284 -p 624 -ip 624
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download