a037b821e1235090e074ec007020a635eb41df46106dc9a0d192cd4461e630cc

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
Size

5.5MB
MD5

85f1344124cd347dc512f76f3835bde5
SHA1

91797444e53af113b0b4dc982f1f417b91a7d82b
SHA256

a037b821e1235090e074ec007020a635eb41df46106dc9a0d192cd4461e630cc
SHA512

f54b22fc7d2769b28964455c296e38a671af27197f786f1a05d33eedc7c978b30ff6d69441ca522b9b125671b1d2bcbfb3bb0f87f09489c73ef25c8b382e1292
SSDEEP

98304:9PmeYfofuQvHKZl0Dhntvgcf9JH6hg9RRNNlzMzX9x42sHWprAwijyA/4:9juEqZ+acyujsX92P2pswieAw

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3664	4028	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4408	4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe	83
PID 4028 wrote to memory of 4408	4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe	83
PID 4028 wrote to memory of 4408	4028	JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85f1344124cd347dc512f76f3835bde5.exe"
  2⤵
  PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1072
  2⤵
  - Program crash
  PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4028 -ip 4028
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TestProj.dll

Filesize
21KB

MD5
b4c007c9a2638a09d8872ba51dd61ac2

SHA1
55d1bb5f4128ab1aecd5ea5768da89c6671cdb47

SHA256
3979d4ad8ea65508ed096e57c338eca5171ab1b7cc05ff266792116ed41ec679

SHA512
5b725e9f6517cdf09a2eb0966d61fce5dc86a6a2f325538b07d1e604d8c3b552e74f6ad8db0c7442377033032700763a2afa84fbbe08998a3012300bc6080b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5B80.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/4028-12-0x0000000074CA5000-0x0000000074CA7000-memory.dmp

Filesize
8KB

Download