Overview

overview

10

Static

static

3

JaffaCakes...9e.exe

windows7-x64

10

JaffaCakes...9e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0a81bbc1b83330d03d760374094a599e.exe

  • Size

    1.8MB

  • MD5

    0a81bbc1b83330d03d760374094a599e

  • SHA1

    47747c41fee807b80a437166cf9323c517d0cafd

  • SHA256

    da2ba3a6cd9a50e7461aa622fb92d0a5623e6d1a8be3e5d16aed1eabcb3e3d24

  • SHA512

    d2cfcc57e18936a0ee95dd68bd64b97621c49d6a46507ab77a4eff387b8dffb0b8acacd8754fbcbb486e20fbe09265ba7776b920c755fb47df464213e0702bdc

  • SSDEEP

    49152:sY4p8Pt10/v65JrFXFarp9M0EnUH0/PdyGy8kRALLcduYZ:sY4p8FaH65Jf4aUU/PHy8kRiAdT

Score
7/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a81bbc1b83330d03d760374094a599e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a81bbc1b83330d03d760374094a599e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MAYSEX~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MAYSEX~1.EXE
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • System Location Discovery: System Language Discovery
      PID:5088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 564
        3⤵
        • Program crash
        PID:5112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 568
        3⤵
        • Program crash
        PID:716
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088
    1⤵
      PID:4236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088
      1⤵
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MAYSEX~1.EXE
        Filesize

        2.0MB

        MD5

        5d11d735caa85b42fa2da1b025895116

        SHA1

        997277fb62d4cf2474db0dd8628c252f362ab39b

        SHA256

        78559dd5bde582dd2c50bb53edcd39c277c0369148664bb55d8061defa4e53a8

        SHA512

        901db32c83f00f2cc221670b928b48a47eef23347489fb9113108da986d47a0050edea15e8db8f76f07343e983da1139b63754dcaa805cf59a45612eb33ad13d

        Download Submit

      • memory/5088-5-0x0000000000400000-0x0000000000661000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/5088-6-0x0000000000400000-0x0000000000661000-memory.dmp

        Filesize

        2.4MB

        Download