1a2051290941218c4665ab7ff8086453d987a0e9a7cb6b0cb1386fbefdf20e25

Analysis

max time kernel
91s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe
Size

556KB
MD5

274afabe72ed8b0323a42b39bbdf1912
SHA1

e39a0d9c89b4b0eaa801aa7529a426d480659717
SHA256

1a2051290941218c4665ab7ff8086453d987a0e9a7cb6b0cb1386fbefdf20e25
SHA512

04043ee06a1b1b4238d8411e459da74d994a0d56f0334c8ca564df9dba76dbd5fe6402481e38f60b1329d009bf80dec53a4c6ffd7e6d9d4e4497a31a4f7cf595
SSDEEP

6144:gWa9jr9ILXvkBfIitOXTi4HNqrQb48GxvSrQwH2:gWax9+cXtOXTisb4BR/

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe"	274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe"	274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	1852	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1852	274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe
1852	274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\274afabe72ed8b0323a42b39bbdf1912_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 836
  2⤵
  - Program crash
  PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1852 -ip 1852
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads