Analysis

  • max time kernel
    92s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 20:34

General

  • Target

    JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe

  • Size

    104KB

  • MD5

    437298c4fbec9e4ef812f7324ffaf4b6

  • SHA1

    4468814c74f41a69d7cbc73c0e80edb02889c1f6

  • SHA256

    c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922

  • SHA512

    d9c2ecd4a131466cb49e77016b062e802848cdc70343d7b56a320d5c62222d816540469a58fb4110e807a1762aa4a3f902b4c97c78d1d5bd4d154273ecd6766c

  • SSDEEP

    1536:QM6jnaxvwQ5zttkv7EoIzUY9OXkHAoFWVL5zzgeWk8x7o1/ilEXeUKfZ0s3mYzz3:EgwWzoIoIUXkH61Mdkg7ogGYAuz3

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"
    1⤵
    • Identifies Wine through registry keys
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 444
      2⤵
      • Program crash
      PID:492
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428
    1⤵
      PID:3404

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads