676047897f340387e718842c45ff18d3e130f023c9156659883caf33c8b1a7cc

Analysis

max time kernel
15s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Size

229KB
MD5

0841f7e3cae56885f4ee4792814907c6
SHA1

4b08e588a05e268790461a0d1f3bf1b2dace3e92
SHA256

676047897f340387e718842c45ff18d3e130f023c9156659883caf33c8b1a7cc
SHA512

9347e6ac1b60e3c54aedd1dfe714e95027b923e626b40610e735dd7bfc2b8a136754386da87f6b7e8d36ef9a08a005901268268834488b6807fb3cef6731c700
SSDEEP

6144:tOzbPpjSRkXqCJEmFt+p7GCvB/wCgVlqXAcdkRi5:tOfpGRkXqaDTaGCvB/wCgf0h5

Score

3^/10

discovery

Malware Config

Signatures

Program crash 9 IoCs

pid	pid_target	Process	procid_target
452	1864	WerFault.exe	101
380	188	WerFault.exe	98
4336	920	WerFault.exe	84
4260	4872	WerFault.exe	87
596	2036	WerFault.exe	88
3192	4804	WerFault.exe	89
4844	1764	WerFault.exe	91
968	4084	WerFault.exe	94
3244	2796	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4872	920	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	87
PID 920 wrote to memory of 4872	920	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	87
PID 920 wrote to memory of 4872	920	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	87
PID 4872 wrote to memory of 2036	4872	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	88
PID 4872 wrote to memory of 2036	4872	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	88
PID 4872 wrote to memory of 2036	4872	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	88
PID 2036 wrote to memory of 4804	2036	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	89
PID 2036 wrote to memory of 4804	2036	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	89
PID 2036 wrote to memory of 4804	2036	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	89
PID 4804 wrote to memory of 1764	4804	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	91
PID 4804 wrote to memory of 1764	4804	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	91
PID 4804 wrote to memory of 1764	4804	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	91
PID 1764 wrote to memory of 4084	1764	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	94
PID 1764 wrote to memory of 4084	1764	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	94
PID 1764 wrote to memory of 4084	1764	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	94
PID 4084 wrote to memory of 2796	4084	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	97
PID 4084 wrote to memory of 2796	4084	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	97
PID 4084 wrote to memory of 2796	4084	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	97
PID 2796 wrote to memory of 188	2796	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	98
PID 2796 wrote to memory of 188	2796	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	98
PID 2796 wrote to memory of 188	2796	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	98
PID 188 wrote to memory of 1864	188	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	101
PID 188 wrote to memory of 1864	188	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	101
PID 188 wrote to memory of 1864	188	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	101
PID 1864 wrote to memory of 4400	1864	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	102
PID 1864 wrote to memory of 4400	1864	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	102
PID 1864 wrote to memory of 4400	1864	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:188
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        10⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 556
        10⤵
        Program crash
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 552
        9⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 548
        8⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 464
        7⤵
        Program crash
        
        PID:968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 524
        6⤵
        Program crash
        
        PID:4844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 532
        5⤵
        Program crash
        
        PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 528
      4⤵
      Program crash
      PID:596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 512
    3⤵
    - Program crash
    PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 540
  2⤵
  - Program crash
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1864 -ip 1864
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 188 -ip 188
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 920 -ip 920
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4872 -ip 4872
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2036 -ip 2036
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4804 -ip 4804
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1764 -ip 1764
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4084 -ip 4084
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2796 -ip 2796
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/920-1-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/920-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/920-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/920-0-0x00000000021C0000-0x00000000021F8000-memory.dmp

Filesize
224KB

Download
memory/920-6-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1764-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1764-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1764-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1864-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2036-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2036-8-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2036-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2796-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2796-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2796-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4084-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4084-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4084-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4084-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4084-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4400-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4804-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4804-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4804-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4872-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4872-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4872-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4872-3-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4872-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download