Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 23:42
Behavioral task
behavioral1
Sample
db6e777b4a47b9abad8766f68f346bfc_JaffaCakes118.pdf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
db6e777b4a47b9abad8766f68f346bfc_JaffaCakes118.pdf
Resource
win10v2004-20240802-en
General
-
Target
db6e777b4a47b9abad8766f68f346bfc_JaffaCakes118.pdf
-
Size
132KB
-
MD5
db6e777b4a47b9abad8766f68f346bfc
-
SHA1
3b03a26ebcccd2bf23ca6e0d493559aaae84ea79
-
SHA256
8fb3cbe56625aa555d2c1761847f36fec0007454d179531fb37f5bad2489d804
-
SHA512
9e7c6a06e7d5f89309dc0f47f5a7f5b6dc28896cc06dbed0e7daa6468d7bba00870a1b84c3c3884d204611436e26372ef3896aff9678be50dff87c296a30b587
-
SSDEEP
384:bONbedw+lJ5v1R7sAki+QgReL8pGlJ+fxf+JRiPPgBs9RYqZJRMJQ4MW/SMXQAYN:nhRMMeamnoG
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1268 2272 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2272 AcroRd32.exe 2272 AcroRd32.exe 2272 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1268 2272 AcroRd32.exe 30 PID 2272 wrote to memory of 1268 2272 AcroRd32.exe 30 PID 2272 wrote to memory of 1268 2272 AcroRd32.exe 30 PID 2272 wrote to memory of 1268 2272 AcroRd32.exe 30
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\db6e777b4a47b9abad8766f68f346bfc_JaffaCakes118.pdf"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 7522⤵
- Program crash
PID:1268
-