e5f86bb461811179e1a4e45dc11f78616a73e9e2c471c82244a5693a1db93255

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
Size

166KB
MD5

f5bd5c44a6eccf5f5267d2f276fbdbf3
SHA1

fb2a00f06edd413864368786b7959beb456a1bec
SHA256

e5f86bb461811179e1a4e45dc11f78616a73e9e2c471c82244a5693a1db93255
SHA512

9ec475423b6b45c5e4a3fea0e3161ec296bb639389aa354a9c59b20feabc08c17489a34d0ca3a97992c705648abc01c125855c7cd8a3bdd9a87ed2564be139fe
SSDEEP

3072:npSEyBZks6zJ8XfwBOg3jO8vmk/Y3PFdEHlizroo/f0n8gJltp:p7IZks6zJEfwBOg3S8uk/+PuYzrFXQ8o

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1792	2676	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 2676	64	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	83
PID 64 wrote to memory of 2676	64	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	83
PID 64 wrote to memory of 2676	64	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 276
    3⤵
    - Program crash
    PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2676 -ip 2676
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe

Filesize
114KB

MD5
aa90720d221cfcd886079a1e45153beb

SHA1
1dd3aa721f00bd5cfb1388f232d0c820add2e4cc

SHA256
d1c85438bd36cb0c3651b1d9c6cdfe875bd6551093104706efb07417d3939be7

SHA512
2f96f1bc3a9e403f5f15d1b35a7d13ba78793891bd278408611cf3fa74be54589b0926df3820ba4d1e2ac9f8600eace174ec30f0453ea961d239f80538f7047d

Download Submit
memory/64-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/64-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2676-4-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/2676-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-9-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/2676-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download