5635680db784458c202b66ff6a022282c6785e65724aa127ce701bfa3cde17e1

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/03/2025, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe
Size

575KB
MD5

87776b047a3f8f45b5c1986a38a9d540
SHA1

5d78b7db83b0c0e112732d74e5765dc62d984a23
SHA256

5635680db784458c202b66ff6a022282c6785e65724aa127ce701bfa3cde17e1
SHA512

950112b654a7e5329c5da889c4cdd0257a2b757f059d7b78a9059fe4a8a7b518d816551d7708f375f1bfadafad4e8c54ecfbf3ecfb3983ef5be1135d99e439c5
SSDEEP

6144:QUKjV0YWWy9zF38G+9PddNZxmirWR06XkqxLV4HtDnyv96GvKrqD+44dWPn:YjVtWWqh38G+9P/x16N7V4brqDL4k

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	1.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe
2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1736	2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe	30
PID 2540 wrote to memory of 1736	2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe	30
PID 2540 wrote to memory of 1736	2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe	30
PID 2540 wrote to memory of 1736	2540	JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776b047a3f8f45b5c1986a38a9d540.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
520KB

MD5
54ea0904f3aaa4e9b834c2bc0732445e

SHA1
eed84bea3c8fd7c181bb8acf8f177142999e216d

SHA256
53dcd68ffe8f80f5ad1dcff39b11d52969d8ca79de8784b4a3c52f8882375d42

SHA512
759db13c755e0d9d011b19d5fc8e0b46a6ae0fd6d3114f4394f05f429b9a765563945c8e66f574838e3398ce914d6732439f302c96162375cbbbd62a2822719e

Download Submit
memory/1736-12-0x0000000000400000-0x0000000000442001-memory.dmp

Filesize
264KB

Download
memory/1736-16-0x0000000000400000-0x0000000000442001-memory.dmp

Filesize
264KB

Download
memory/2540-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2540-11-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/2540-10-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/2540-17-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/2540-18-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download