Analysis
-
max time kernel
92s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
-
Size
104KB
-
MD5
437298c4fbec9e4ef812f7324ffaf4b6
-
SHA1
4468814c74f41a69d7cbc73c0e80edb02889c1f6
-
SHA256
c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922
-
SHA512
d9c2ecd4a131466cb49e77016b062e802848cdc70343d7b56a320d5c62222d816540469a58fb4110e807a1762aa4a3f902b4c97c78d1d5bd4d154273ecd6766c
-
SSDEEP
1536:QM6jnaxvwQ5zttkv7EoIzUY9OXkHAoFWVL5zzgeWk8x7o1/ilEXeUKfZ0s3mYzz3:EgwWzoIoIUXkH61Mdkg7ogGYAuz3
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 492 428 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 428 JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe 428 JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"1⤵
- Identifies Wine through registry keys
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 4442⤵
- Program crash
PID:492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 4281⤵PID:3404