1b7fbfcd00983e84e6d0e0f482421ec8ca2468bddcceb23cb66159fca6afd779

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe
Size

489KB
MD5

d561dc643607019f6d3337661d1cf05d
SHA1

72b31e4c97157f807d2486cc745c6ae7302fccfb
SHA256

1b7fbfcd00983e84e6d0e0f482421ec8ca2468bddcceb23cb66159fca6afd779
SHA512

a28167a26f9e405eace4c1fda613275b1cb71edaa68089f17efec3125efff0d136ba9c66c63d816d45f98f30e229c39190161a7ca5fadad2954c2589aad2d968
SSDEEP

12288:+3DIx6thES517fvsczPwo5CL4FB5uBRfAA7p87uxCzb/zNs2fNbMoD:+3DIx6thEm17f/te4P5uPfJ7pOuUTN/V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3496	befacghgbc_P.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4756	3496	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	befacghgbc_P.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3496	2244	d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe	90
PID 2244 wrote to memory of 3496	2244	d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe	90
PID 2244 wrote to memory of 3496	2244	d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d561dc643607019f6d3337661d1cf05d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\befacghgbc_P.exe
  C:\Users\Admin\AppData\Local\Temp\befacghgbc_P.exe 7,9,3,9,4,8,9,9,3,0,9 KEdGOzkpMC8xMhcoSlI5TEE7NC0gJkc8UU5LSkJAQT0nGSZBQE9MQDs6MBcoOkY7OSgXJk1SRj1MQEtbQTs0LSAmTDxPTUFKVkxPTDRha3FnNicmam92JT08UEIpTEZHKkFHSSVGRUJHFyZATEA8QkY7ORgmOy49JCoXLDsuNSQoHS87LDQqKBwnOys6LSgZJkEsOSUoFyxQSUg7UjpQV0dJRlY4PFA6FytISUZBVTpNVkJMSDk0FyxQSUg7UjpQV0U4SkU0GSZCT0FXTElJPRcoPFU8WztEO0lJRT40HSZER0pLXEJJSE5QPE41LBcsVD86RUhQS01WTE9MNBkmU0Q5KhcmQVMoNhcsSVFGS0BKRVZQPEk6S0U8QEpBPj5MT0M5GCZAUF9JTkVRQEk9NGtvdVwZJk88UE1JRUZOPlhMUDxOVzs4VlM0KxcsP0U8PE86MRcoQFBWQFFFOEpJOlg8SzpOUUdLQkQ0X1hpamEYJjtMV0VFRj47W0FHNC8wLycoLicqMSolLjIpGSZNOE45Q0NCTFZCRVBLPURDNHFybF4XLEtFRTw0LjQsKSk2KjQrJxcsREZQRUlGPTxWS0ZNPDYoLyYtLiYpLTEsIy43KS8yLCcnUEQ=
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 228
    3⤵
    - Program crash
    PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3496 -ip 3496
1⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\befacghgbc_P.exe

Filesize
674KB

MD5
874fbb12caacbf56e2e02b37634218ca

SHA1
721b1d3923c7eb3dcbcae0b7b839918aaa0340c1

SHA256
54f132d1bc338089c3ffbe65944c3c375917a860c2d146db98ad7fdca413bcaa

SHA512
03f397ed707117422a7dfebce47b4a87ac494827d42854e34c547255b02169d14ae6eeb3ff2b34ae9e59bacfe452daef49a14a4f9eda8ece672679255d46c4c6

Download Submit