2a8292e059e990cdeaf803bb133b21e5a0ca8a693a266cf1eba9a191b29c1630

Analysis

max time kernel
90s
max time network
19s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe
Size

95KB
MD5

74bebc7aafa7414a4e630db9b3e177a4
SHA1

cf0d7b14ce7b480a6d9dd21be319b984085af690
SHA256

2a8292e059e990cdeaf803bb133b21e5a0ca8a693a266cf1eba9a191b29c1630
SHA512

c3d1e0ed5918957ed4b15e69125490b29dd54bf12e889470ae4c0481b7e0de71f683e77e1c7eb7bf6a480aa3d8e34f29d72579d18c57637c8b803d52c54fd1a6
SSDEEP

768:G306R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYwK:GNR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	2464	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2540	2464	JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe	30
PID 2464 wrote to memory of 2540	2464	JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe	30
PID 2464 wrote to memory of 2540	2464	JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe	30
PID 2464 wrote to memory of 2540	2464	JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74bebc7aafa7414a4e630db9b3e177a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 156
  2⤵
  - Program crash
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2464-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download