Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-01-2025 02:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_622c905a2563762dfac3016d36614e47.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_622c905a2563762dfac3016d36614e47.exe
-
Size
348KB
-
MD5
622c905a2563762dfac3016d36614e47
-
SHA1
b9dae9470c934bb23e3773bc03e6053713d88bcd
-
SHA256
dca2dacbab2005cce9bb707e8818edf2c62dbe1d56257ab718e5abbd8748a349
-
SHA512
b529c1d4f48b9a52a864f711df3863677a147e920af6febb1ac834c3d7c0d10fed4e41d6cd435fcfe4bd43fcc55643095fa3309b8f6854ed24f52194d8d0911a
-
SSDEEP
6144:MMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOazjE8:MMTi0uhMqe9ts2zWTpMmCG7d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3052 JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2384 3052 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_622c905a2563762dfac3016d36614e47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1944 wrote to memory of 3052 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 31 PID 1944 wrote to memory of 3052 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 31 PID 1944 wrote to memory of 3052 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 31 PID 1944 wrote to memory of 3052 1944 JaffaCakes118_622c905a2563762dfac3016d36614e47.exe 31 PID 3052 wrote to memory of 2384 3052 JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe 32 PID 3052 wrote to memory of 2384 3052 JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe 32 PID 3052 wrote to memory of 2384 3052 JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe 32 PID 3052 wrote to memory of 2384 3052 JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622c905a2563762dfac3016d36614e47.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622c905a2563762dfac3016d36614e47.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622c905a2563762dfac3016d36614e47mgr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1003⤵
- Loads dropped DLL
- Program crash
PID:2384
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5b5fa407b7ba06a139086f6fe65a317f7
SHA14c41705144148c2a13285b790b3aec0bfc81876b
SHA256641f27b9724a242dc2391cdd48357c1ea7f53684ab2187e521a07afca0ede662
SHA5129cb6cde83bb24849076b72f736d6778e657e8eab369a2d5368f641eebe3211d7f6233f5a14755b3019a48a481124de61b7671a317d44fcf63dbec3aefe1428cf