63e10d018a126282cf3855a9818904b7c1af84a592114b4bda4e760617c051ce

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe
Size

652KB
MD5

4c7d5c7743338443bc1b768b2e4a2a76
SHA1

342f4dc3be20df70c39be18e45e7bcf85df9989d
SHA256

63e10d018a126282cf3855a9818904b7c1af84a592114b4bda4e760617c051ce
SHA512

5bf0ef7ccd88911594c16555dc0bc4f697630d778b5f86afd6646ea54f3c2db55eadae6e50d3fd7846f9779cfb74e73643d53781fc79020744df813205663879
SSDEEP

12288:Xvoz/t3bDiFtMI0bQxl+0FS/FMApyX/02A2l0ULsXaATlRA9cGUnSe1nd:gpLTKwCsX7XAujXnd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4536	syshost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 4536	1476	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4808	4536	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4536	1476	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe	86
PID 1476 wrote to memory of 4536	1476	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe	86
PID 1476 wrote to memory of 4536	1476	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe	86
PID 1476 wrote to memory of 4536	1476	JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c7d5c7743338443bc1b768b2e4a2a76.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\ProgramData\syshost.exe
  C:\ProgramData\syshost.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 12
    3⤵
    - Program crash
    PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 4536
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\syshost.exe

Filesize
6KB

MD5
36c689700adbb227867e409938607270

SHA1
6123e236f73faa37600a60107a5b167980b83a61

SHA256
a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf

SHA512
c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef

Download Submit
memory/1476-0-0x0000000074772000-0x0000000074773000-memory.dmp

Filesize
4KB

Download
memory/1476-1-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/1476-2-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/1476-8-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download