Analysis

  • max time kernel
    143s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe

  • Size

    64KB

  • MD5

    40bf354a2f5f69e307f9498660a7275c

  • SHA1

    8b43bf482c7f589d55c12d1066da4f193aeb7bbb

  • SHA256

    4fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f

  • SHA512

    71c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a

  • SSDEEP

    768:+wBVHpKTX6O91dbxSFhLfQmETEfax+T1i5JmuKFBXegYBn2RTijAvjx:+U4N91dbxCdomEToT1Z1e9AcI

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Users\Admin\AppData\Local\Temp\WinDefender.exe
        "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Users\Admin\AppData\Local\Temp\WinDefender.exe
          "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"
          4⤵
          • Executes dropped EXE
          PID:1216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\WinDefender.exe

          Filesize

          64KB

          MD5

          40bf354a2f5f69e307f9498660a7275c

          SHA1

          8b43bf482c7f589d55c12d1066da4f193aeb7bbb

          SHA256

          4fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f

          SHA512

          71c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a

        • memory/1216-19-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1216-20-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1216-21-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2104-2-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2104-4-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2104-5-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2104-15-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB