786aa1e9f98fabbcd356c1cd1ea1c5dd115d33bbfa02d140391247c66dfc45f3

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 22:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
Size

200KB
MD5

76446975071b3d7bca4551b4a9fa53a5
SHA1

22ac8497f32e8aebcc95a174558265917ca07350
SHA256

786aa1e9f98fabbcd356c1cd1ea1c5dd115d33bbfa02d140391247c66dfc45f3
SHA512

7df707885ca926145a1220d8a385f88e3d404477681e6ee333ae028070badb1abddf3435b7452bb0c0e64382ef550ad16930fdc36bd648018bb99822a3047d82
SSDEEP

6144:cZilzeAzEQJFqNU407ZrZNhuuqEMqstq6y0yLMs3:KiljzvKNyBfhuXEiCFL

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	2828	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 332
  2⤵
  - Program crash
  PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2828 -ip 2828
1⤵
PID:1248

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0BE046FDFDDA698C15A7537BFCFD68AF; domain=.bing.com; expires=Thu, 26-Feb-2026 22:21:56 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F7A6EBF27C124E898C07D5BE60A1270D Ref B: LON04EDGE0719 Ref C: 2025-02-01T22:21:56Z
date: Sat, 01 Feb 2025 22:21:55 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0BE046FDFDDA698C15A7537BFCFD68AF

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=qJygAa8WiVG3g5lzg5Q7hcpExEewPWPWX03iKjnvpB8; domain=.bing.com; expires=Thu, 26-Feb-2026 22:21:56 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DD647E1C24F24CE1807458323E8EEF46 Ref B: LON04EDGE0719 Ref C: 2025-02-01T22:21:56Z
date: Sat, 01 Feb 2025 22:21:56 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0BE046FDFDDA698C15A7537BFCFD68AF; MSPTC=qJygAa8WiVG3g5lzg5Q7hcpExEewPWPWX03iKjnvpB8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 23CF2BB4228241FDA5C0711AC1153456 Ref B: LON04EDGE0719 Ref C: 2025-02-01T22:21:56Z
date: Sat, 01 Feb 2025 22:21:56 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

1.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.31.126.40.in-addr.arpa

IN PTR

Response
DNS

20.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.49.80.91.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ead3ddd3718448396cd144b897e5a7c&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

1.31.126.40.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

1.31.126.40.in-addr.arpa
8.8.8.8:53

20.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

20.49.80.91.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.