c5a36339aa789b434f5a4535a12feb12f0fd352567ee78bdcc1baf18b6936a12

Analysis

max time kernel
104s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe
Size

88KB
MD5

78b4846ac989f85ddfa4537293a32e76
SHA1

31b2c47daf82069dd975eb30f245c7022d9125a5
SHA256

c5a36339aa789b434f5a4535a12feb12f0fd352567ee78bdcc1baf18b6936a12
SHA512

2174442413664b6808764ef42c6b0fb211fc5812210262620e0937732e105814483585a1f1a0dc8ee128716f303ac36972f13bac1e2960ad9d3da820fb2dd170
SSDEEP

768:rlHSuJKqyLohfceYqHlHSuJKqyLohKgKfAyLoouJKdal:RHTJKqOpe7HTJKqOEKoOaJKd2

Score

10^/10

google discovery phishing

Malware Config

Signatures

Detected google phishing page 1 IoCs

phishing google

flow	pid	Process
14	5800	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	sites.google.com
5	sites.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\asys.bat	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe
File created	C:\Windows\SysWOW64\sys31.exe	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5800	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5800 wrote to memory of 364	5800	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe	88
PID 5800 wrote to memory of 364	5800	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe	88
PID 5800 wrote to memory of 364	5800	JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b4846ac989f85ddfa4537293a32e76.exe"
1⤵
- Detected google phishing page
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\asys.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\asys.bat

Filesize
870KB

MD5
13552399c74d2bf9fa002375b2546b5b

SHA1
0238ee7a5e38036a9362ed3e1d359cd5437371a4

SHA256
1e22c3d89db12baf98f4e7a710e47b842f958edf700b477e5de999310c1ca6c7

SHA512
10db85cbac2014a4ee32cd7eec0fa7eeb3c2fcc31baae2509f502ff5e3c6bb925217c3841d03031704fa24d7b7a443200d9e4cc7bdaf12b173e6edd5512a0a3e

Download Submit
C:\Windows\SysWOW64\sys31.exe

Filesize
870KB

MD5
d82d39c41b2c6ea00ef9d19185f095c4

SHA1
7ad6971e0cc7f365be195afb62273e5682a544c6

SHA256
85ef83a40b03ef94dca6813a6ecbe715fcdb1f9ae86934e0a4b040dec3e18edb

SHA512
004496f01f3f3cbb1b522390c286df4b9b64073efd97f437a815a61a20714b4aaa585dfed8521eb173d032ce5130f32e5a5e433e78cff489a48477b683c2603a

Download Submit