20390648fc3adbc7fad0ef018f99f72d14e9f334d231fe911293f945796fb428

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe
Size

215KB
MD5

2749bc8145be2724c0a78353938757d2
SHA1

ed4a32df491476334b1b3c67e87770cd79c966ee
SHA256

20390648fc3adbc7fad0ef018f99f72d14e9f334d231fe911293f945796fb428
SHA512

1d967e6763c7f5457b5717e4b3beebddcb52195eeef775689c8a570a032c5a13ecd19a4d27c289556f894dc52afb5b000de45483e2429ac7b641f63575a836ac
SSDEEP

3072:i2zyp8caP5sqvUd0EuoBtLM4GzsX12vQTDdfON9YJbF0c1ZG7CO1zO6KIgaIm9o:bzIpo1Ud0EuktLwiDdEcBU7ZC6VgaIm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
884	2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3092	884	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2749bc8145be2724c0a78353938757d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 784
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 884 -ip 884
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
174KB

MD5
ebf40fdf19fde8de50506764a4046305

SHA1
e9fcfca026b1f9052d6135363947adb00ca6840e

SHA256
9a6c8644cb1b44d8a53cd309b9a7930ed889f9b694fc127d5152d439c7cbc500

SHA512
4f048f79c320bd27e7ca91ae36f9471eb858ce127afaa3e3b8d53ca3dae9778eb1d9b4071b9dabf8e6c580efb31fb2de5c01ac9e83378b306005a6e3adfae1fc

Download Submit
memory/884-0-0x00000000005A0000-0x00000000005C9000-memory.dmp

Filesize
164KB

Download
memory/884-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download