Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 08:31
Behavioral task
behavioral1
Sample
JaffaCakes118_8a7f5e902e1e5a8bf74071b4eeb543ab.pdf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8a7f5e902e1e5a8bf74071b4eeb543ab.pdf
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_8a7f5e902e1e5a8bf74071b4eeb543ab.pdf
-
Size
6KB
-
MD5
8a7f5e902e1e5a8bf74071b4eeb543ab
-
SHA1
fe7d2295555f5a6b9b45901e6a073e8e9f84eb68
-
SHA256
23bdc1b832d5e7299946f5b051695036dbf2816d5e469b45b00bd619e84e4117
-
SHA512
f3ff091a4307af9592e0f06121aad4fccff6d6761fd8b2f037058c43909b29f90f438545ebf7343975bb0a881ff00070d95752d00b5d821d0beff314bf14bb75
-
SSDEEP
192:UeCNhy+L55gQrl5PUjgwG+7UdzJunUMwo8USLwo:UrND55ddwG+7T8UWwo
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2744 AcroRd32.exe 2744 AcroRd32.exe 2744 AcroRd32.exe 2744 AcroRd32.exe 2744 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31 PID 2744 wrote to memory of 2588 2744 AcroRd32.exe 31
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a7f5e902e1e5a8bf74071b4eeb543ab.pdf"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Users\Admin\AppData\Local\Temp\wpbt0.dll2⤵
- System Location Discovery: System Language Discovery
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD51e3d1d7ccce9072387ed24c82bc85d08
SHA17300cf719df310721b1598d4ee2671818eee0bb0
SHA25606a4c7c7756ce2fe310a0e0a6bb4322e96d635eb01f158b05a50753010df52ee
SHA51295183eeedeb8c121c087ac7d9d52faaf47c6b0e3410eead7b23757012e078069a4a1d7d2a7afe654eecd3a0db50d529e5a53d2bac334c47927715ae73ba7a0e3