Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe
-
Size
240KB
-
MD5
4392a267463ca34065f7d7a946ce6361
-
SHA1
f0f35c157dba389858ec3fe3bf71769dc22f81c9
-
SHA256
d3a7b7b8400ecf781dcfccd1160783d198cc906e4b96906b9624d950b506b1fc
-
SHA512
863300a9cb3c05d0903fe461fed248168450b9c1c363d42a3d806bac42c776287d9f17d3dc5692dcfefdf476d7a66f2c4bc365ab59df190dec6d844f533e69a9
-
SSDEEP
3072:G+b8oarx9+/HQLvYKTFmpTZWuetGsGMzMv69D4WrzOSsvZzkuDj3mw2j7VqaSp66:G+crEHOYYmlIGbi9VrERLvYNqclm7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3148 Utility Mang.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Utility Mang.exe JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe File opened for modification C:\Windows\Utility Mang.exe JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe File created C:\Windows\Uer.bat JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3112 2340 WerFault.exe 82 668 3148 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Utility Mang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3148 Utility Mang.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2112 2340 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 90 PID 2340 wrote to memory of 2112 2340 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 90 PID 2340 wrote to memory of 2112 2340 JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe 90 PID 3148 wrote to memory of 548 3148 Utility Mang.exe 89 PID 3148 wrote to memory of 548 3148 Utility Mang.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392a267463ca34065f7d7a946ce6361.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 5682⤵
- Program crash
PID:3112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Uer.bat2⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2340 -ip 23401⤵PID:4796
-
C:\Windows\Utility Mang.exe"C:\Windows\Utility Mang.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 5442⤵
- Program crash
PID:668
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3148 -ip 31481⤵PID:428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5b1cbe41d15542f7b30c4cd501f6d3f2c
SHA1bc9932c60d777fb68795433444f716494fc3e3dd
SHA25644abe5a681992bbc1a09c2a674df09cbed77e0493fef5db06d83731ba34f7341
SHA51208eab59b01b6bcb4417dfe77b4d54c617e9d7d6c12d27def70dc41659c6f20f7fed3f779cfeb130bb924515c4b2418568e7e1834ba34506f52e4bdff0fa73999
-
Filesize
240KB
MD54392a267463ca34065f7d7a946ce6361
SHA1f0f35c157dba389858ec3fe3bf71769dc22f81c9
SHA256d3a7b7b8400ecf781dcfccd1160783d198cc906e4b96906b9624d950b506b1fc
SHA512863300a9cb3c05d0903fe461fed248168450b9c1c363d42a3d806bac42c776287d9f17d3dc5692dcfefdf476d7a66f2c4bc365ab59df190dec6d844f533e69a9