a8ca7b61fd1dadf66ed18a03c340e4ba9d9df8ae6bf561519638430a579ea13d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe
Size

220KB
MD5

8a9126fd351fe25c8e9a127cfd04e2ab
SHA1

f72420060cb4b398a9b01f8566340ff6d08d3845
SHA256

a8ca7b61fd1dadf66ed18a03c340e4ba9d9df8ae6bf561519638430a579ea13d
SHA512

84ce4541371bdfd4b3928b03fc822a1dce76c475bdad320057f34c256b04010482471dd622bcc1a51b7cd4ff0714c68fb55e2df2fa3b11c581307240ce49d083
SSDEEP

3072:w1D6LeSl5Htc5ckACyJiMAx9yZw4tVD29IE1N:cgewNiSJiMAx0W

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	0jpz.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	2248	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0jpz.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2248	1364	JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe	29
PID 1364 wrote to memory of 2248	1364	JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe	29
PID 1364 wrote to memory of 2248	1364	JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe	29
PID 1364 wrote to memory of 2248	1364	JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe	29
PID 2248 wrote to memory of 1652	2248	0jpz.exe	30
PID 2248 wrote to memory of 1652	2248	0jpz.exe	30
PID 2248 wrote to memory of 1652	2248	0jpz.exe	30
PID 2248 wrote to memory of 1652	2248	0jpz.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9126fd351fe25c8e9a127cfd04e2ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- \??\c:\0jpz.exe
  c:\0jpz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 132
    3⤵
    - Program crash
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0jpz.exe

Filesize
20KB

MD5
4745b040fa62e21a5a92ed0cf63a53dd

SHA1
d01c4f5fd04b1bc10432889d6452281b663e1cc0

SHA256
1b0ddcef3e0fa4c25b23c280a97f03ce652f6a8cafb5999b4066627ace763b59

SHA512
db7330e05a3b417a121e034b87a139fb13c3c73bc39755e1ea0534398a41d01d50eb530cd0e9ae66ea1196ebfd4cd414939ede824a06ffd90f2ca4ecd8a8a040

Download Submit
memory/1364-0-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/1364-1-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-2-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1364-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download