9dc6644b59a4c37995b0c017256d938e03f6dc26a7b2cfee9f6eac92d8457dc6

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe
Size

430KB
MD5

99c99ae716fba538d8685f2e9d5f9be5
SHA1

4aac17819f8dc6a9435481fda825936c47aeb489
SHA256

9dc6644b59a4c37995b0c017256d938e03f6dc26a7b2cfee9f6eac92d8457dc6
SHA512

aafd92aae54543999bc54cc9f3ab1126a52c5d91e4bbca17c9bf07d36132c84c1b76e945d1ce3ccd5dcecb1d187a225ed85423ab0338ccbc7dc016a9ed1e6750
SSDEEP

6144:hBlL/+lrHomkbgytaFTAGGW56pXrT6DpFpK7ULtVjHIvDp2IWyxRKQXPn03fmoGT:nNbrGAGGy6pXAhqYA8IhPOfmoGT

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4964	JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	4964	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1312	4964	JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe	83
PID 4964 wrote to memory of 1312	4964	JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe	83
PID 4964 wrote to memory of 1312	4964	JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99c99ae716fba538d8685f2e9d5f9be5.exe"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 984
  2⤵
  - Program crash
  PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4964 -ip 4964
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\woskyvpzx.dll

Filesize
19KB

MD5
dd4ff4b24f8b39951e3946a5282b7ed0

SHA1
d4d1015d01326ba4526fcff52e4c9bbb271d951e

SHA256
f880d09a6f9bc64f974844f92fa9bb764dc2613342fde134d8c037a2267506bc

SHA512
6e822b523f15948a42b1d2703525c8f3744fbb6a7e3aff99345908822fbd65dafe38d6972976211f9558c712d65be1c1a42bb9dabb63fb4576c409ce95e93528

Download Submit
memory/4964-8-0x0000000010005000-0x0000000010007000-memory.dmp

Filesize
8KB

Download