d820862b1a873017018386baef7d12eaccae4b735e68348240d7ad36c475bed7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
Size

252KB
MD5

eaa8781d573779faffc72c3b5ac4cec5
SHA1

499bc6f0d96b1e736e06fc0fa274744397909b92
SHA256

d820862b1a873017018386baef7d12eaccae4b735e68348240d7ad36c475bed7
SHA512

8b4984d2a0dc8e138b8a47676eac0e8c7efb2a10589d023c1b0a2bc5a729b41d540f4996de63f887c1e70eac5508cd8c49058a79ca701889d703c638f3839c82
SSDEEP

3072:bP95HJNocTx9YE9/7ImOequZmwjFvjQsYRmW:x5pNoSJz5Zm+vjQsYn

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\1.bin	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\1.bat	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\2.bat	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\4.bat	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\loader.tmp	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1728	2788	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1728	2788	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe	32
PID 2788 wrote to memory of 1728	2788	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe	32
PID 2788 wrote to memory of 1728	2788	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe	32
PID 2788 wrote to memory of 1728	2788	eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa8781d573779faffc72c3b5ac4cec5_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 780
  2⤵
  - Program crash
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
631B

MD5
0b92bb1f3b9141d221dfedfcc5a59527

SHA1
8d0a11d39776442b53436490284dc460137d3e7a

SHA256
5ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99

SHA512
e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205

Download Submit
memory/2788-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download