101c0a9d2fa8c5a0458bebd09f231c907b2ffd0a1e631fc462bd70d3e290ff29

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
Size

811KB
MD5

60cfaa931b01a8f08ffe203ec8506080
SHA1

8fb983e216e23bc857d1a90ef63b00ac3b9c9a88
SHA256

101c0a9d2fa8c5a0458bebd09f231c907b2ffd0a1e631fc462bd70d3e290ff29
SHA512

cb07b18b4c83ff26e9906545b8f82698dc00186f4bc9fa286fbdce131f81d3134d614ce8ba0967bc58f715029a0e8a883be4c660c121fe2c816e44a29127c878
SSDEEP

12288:gRm0OqZQDi02wPW6QIHd4/vqUfcfSpKUy0:K2Dd2g1z+3tfYSpL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1660	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe

Loads dropped DLL 11 IoCs

pid	Process
2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2556	2528	WerFault.exe	29
1980	1660	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1660	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	30
PID 2528 wrote to memory of 1660	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	30
PID 2528 wrote to memory of 1660	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	30
PID 2528 wrote to memory of 1660	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	30
PID 2528 wrote to memory of 2556	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	31
PID 2528 wrote to memory of 2556	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	31
PID 2528 wrote to memory of 2556	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	31
PID 2528 wrote to memory of 2556	2528	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe	31
PID 1660 wrote to memory of 1980	1660	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe	32
PID 1660 wrote to memory of 1980	1660	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe	32
PID 1660 wrote to memory of 1980	1660	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe	32
PID 1660 wrote to memory of 1980	1660	JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 156
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 152
  2⤵
  - Program crash
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe

Filesize
404KB

MD5
3a51be334f3cedd7185130cd60047496

SHA1
5572a04718cffb848ae660713415b8ab95b3ec5c

SHA256
3e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b

SHA512
ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783

Download Submit
memory/1660-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1660-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2528-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2528-9-0x00000000008E0000-0x0000000000950000-memory.dmp

Filesize
448KB

Download
memory/2528-8-0x00000000008E0000-0x0000000000950000-memory.dmp

Filesize
448KB

Download
memory/2528-22-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download