dc315ad9e9aa4282eb25411fef0e0563ce5f328f6922ca93e0bfc9b8aa355177

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dc315ad9e9aa4282eb25411fef0e0563ce5f328f6922ca93e0bfc9b8aa355177.dll
Size

536KB
MD5

12c98c1d65298fbdb0b49030d8c39417
SHA1

27add474f0e38c1d467d6bc6574f4587984a84c3
SHA256

dc315ad9e9aa4282eb25411fef0e0563ce5f328f6922ca93e0bfc9b8aa355177
SHA512

cfa3b524ec0a7f206705d3539b834335d69c84c2410c7d420d42412483f1efac290a6e69beff76a22b08190185db46b628e80d7edc97667dbdbd94438bfebd40
SSDEEP

768:TUPo3D5GHMLrlv0rwFqccXS7LRzqpofYMNX/Q91K8qprIH7v62Disn:1D4HMLr8rS3QpIVNUKivag

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2724	1400	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1400	872	rundll32.exe	82
PID 872 wrote to memory of 1400	872	rundll32.exe	82
PID 872 wrote to memory of 1400	872	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc315ad9e9aa4282eb25411fef0e0563ce5f328f6922ca93e0bfc9b8aa355177.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc315ad9e9aa4282eb25411fef0e0563ce5f328f6922ca93e0bfc9b8aa355177.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 560
    3⤵
    - Program crash
    PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1400 -ip 1400
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...