2eb17d1b539434f14964e8712967a316b60139342c03f1ab41cce26d525b6674

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
Size

159KB
MD5

51971a2dfa78e538e44b44f04b0cd4d6
SHA1

fa02179f997e8ef3ce3515dc5056ed788b54e742
SHA256

2eb17d1b539434f14964e8712967a316b60139342c03f1ab41cce26d525b6674
SHA512

8c927c9a49629a8ffa93af19aefdd5e93e2711aa9fa7ec3e4335a5559b23d52068af5a5d65ed60732e8c6834f9b4a78af922a071e7df945af31c7028615a5a1c
SSDEEP

3072:RBymKRr0U5vw0TdLov8MDX8F9jywLatx2LbE4Uo7Nj:RBybjwyovIFtZLatw/E4U4

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wi259438570nd.temp	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MySomeInfo.ini	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	632	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1964	632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe	30
PID 632 wrote to memory of 1964	632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe	30
PID 632 wrote to memory of 1964	632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe	30
PID 632 wrote to memory of 1964	632	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 296
  2⤵
  - Program crash
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MySomeInfo.ini

Filesize
361B

MD5
dac87dfa78d8079c13dcc149b3db7b7d

SHA1
0dbffc4d2087ac6d096924be64596da9909c2848

SHA256
1dee124e6d5e8ae781222c3e8f81e99ae36dcbf7119b06ea6c145b5df521a2eb

SHA512
008634a1c4eaab56315a70568c72cb13018a4bce654d1486f5199868dc7e65078f394ecd8ab8d682b538229e9bcc6e068bf901ecb35be32183725144063cfd27

Download Submit