bdd4349a0e1cbe685df15481feb7b26d1f48574dc5233952693128d7163f9d88

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe
Size

238KB
MD5

6366c65c0dd25ac01e7cb458d6b5c8a0
SHA1

04e23371613dc84abba783f0cd1749f1332aaa9f
SHA256

bdd4349a0e1cbe685df15481feb7b26d1f48574dc5233952693128d7163f9d88
SHA512

9f1beccae5817af14753626e7933a1c0ea5667fc3f12b15dffa9ead4abfd476573105a5a1bd6813aa6ceaa2751cd9463991f716f913e02aa76fb3cdee7a8f1e7
SSDEEP

3072:/nxwgxgfR/DVG7wBpEwnRA3NenBXqNXg8NGB1t0MwqCeu0GZ4Jp5p:r+xDVG0BpfA3AYqBrrtCwGK5p

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe
2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2248	2948	WerFault.exe	30
1792	3008	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3008	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	31
PID 2948 wrote to memory of 3008	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	31
PID 2948 wrote to memory of 3008	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	31
PID 2948 wrote to memory of 3008	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	31
PID 2948 wrote to memory of 2248	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	32
PID 2948 wrote to memory of 2248	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	32
PID 2948 wrote to memory of 2248	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	32
PID 2948 wrote to memory of 2248	2948	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe	32
PID 3008 wrote to memory of 1792	3008	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe	33
PID 3008 wrote to memory of 1792	3008	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe	33
PID 3008 wrote to memory of 1792	3008	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe	33
PID 3008 wrote to memory of 1792	3008	JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 100
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 100
  2⤵
  - Program crash
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\JaffaCakes118_6366c65c0dd25ac01e7cb458d6b5c8a0mgr.exe

Filesize
118KB

MD5
933f0da1ac113e75977f58842aab2b5c

SHA1
d50b8b7c6130fc76afedb564808b7ff4286bfdac

SHA256
d9d8a6241323d46dc53b1f76c03fe9b72f4ea3780042870ee949e42dd432ea99

SHA512
fbc4fb18b5b8f659441db4b8cc0c64ad1297448939d001a6a21de31c1cc5e813fa1024223b28c20700cdd5796dbca0559ca2678b21b2f5d10d3d116eb8164cfb

Download Submit
memory/2948-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2948-10-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/2948-9-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/2948-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2948-21-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/3008-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3008-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download