889494ffb2c350f37818b8674d725d3304e36e5584ae493330d6946fb107a67f

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
Size

1.4MB
MD5

5737eb64925f5f60fd91796703c676df
SHA1

dbd372c4acde7c87c22625453aa11b6f00bdcae5
SHA256

889494ffb2c350f37818b8674d725d3304e36e5584ae493330d6946fb107a67f
SHA512

951a28615691afe14fe2d12fb6670e1b34b24efb0b5db79d235e9763b4ca83d5971989669d89b84ec8cfca8e82c4e169bae82e53bdb8b2ae49d0f73d4c7ac689
SSDEEP

24576:RjYy2NberIRhR1HvHGNR7d2Ij+Ohl0g0RF8S4dlmOPkrxoZ:REvisha5q7FtQ

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
5292	JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5737eb64925f5f60fd91796703c676df.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NetCoffee\SendIPX.Txt

Filesize
400B

MD5
22ba83162bc00d00b6b57c5f829d0e77

SHA1
266bfe156d91d6386d6b8cc49e9104b51edc3e36

SHA256
78c0695863ac3ddfd4d99c6385e159f198a9da44c2069fa8d3f1e9c427ac68ad

SHA512
bb1270380757ce603917778638979dd28228fa99f06c9ff3c7fc011adb29d7776d9389b26f98a618c04edf9c5c7734b298a01839607f43ee3faeca31af5bc6ef

Download Submit
memory/5292-0-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5292-10-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5292-9-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download