dd6a37fd9edb5e95519e04ecc4021f5ce8a823e434e4a99e6cadd354d3f317b8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 08:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe
Size

213KB
MD5

39185e8ea4a032a4024331babb8c9e2b
SHA1

c7cc00617f2e58248db7c70d08148a6f45123cfc
SHA256

dd6a37fd9edb5e95519e04ecc4021f5ce8a823e434e4a99e6cadd354d3f317b8
SHA512

4be125a2b95747ab9e1836374535565cd0543b7d93da5f88e1dc0a05fcf76cd9fcd4eb38d276035387470db89870c1f6bc78c2d1d3fa960eab4b36d89c3aa632
SSDEEP

3072:4KtaaxtbPhRYiP8pZ2+Had7JNCNcDf6OeBLQQ7srum9L6X:4KxbPhKM8D6d7ScD1eB8lL6X

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2172	2528	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2172	2528	39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2172	2528	39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2172	2528	39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2172	2528	39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39185e8ea4a032a4024331babb8c9e2b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 240
  2⤵
  - Program crash
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
9f2001c8a5cda191f3c87a82dfe014b8

SHA1
4c759025abf6b68bbbbc4d0f3ba982413c438db1

SHA256
964cb6f57ead978154c8852f7c476d3f45dd525b873f8d13ce568b853c317e58

SHA512
36e4d5416ce706358b4ddea744554ee275104892cd847732278fb2aacb43e18db3559cc1c492953377a1ff59c7957b72b205506f0f7b7c4cfe4ae116fe029194

Download Submit
memory/2528-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2528-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download