Analysis
-
max time kernel
105s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:32
Static task
static1
General
-
Target
JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe
-
Size
629KB
-
MD5
1c70559dbdd68a5989d6cf1d9e2cbdec
-
SHA1
63d77596329adbac4fac4e948960f6d9ae1b0b4a
-
SHA256
9795982ab78e29ee900f7c46d62d5e5b51b3814a4200e136ecc01a3d6d072db6
-
SHA512
92339e77ca81fcaf343a20e522165dc3fe7b1fabc118ca2ba5191a793f29c6b569cd7afddfb49032f56b45e9836375be48670be174885fb8b3b19b69bb62de7d
-
SSDEEP
12288:pE3Y2jjm7PhomZQEuS7DOyLdmdHgB0130KxOu8V+CKtWJeWu9V2v/mPnN5N6:pEBghhuS76y4dsRKNDCKtWJer17N6
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3484 388 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe = "11000" JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe 388 JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 26482⤵
- Program crash
PID:3484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 388 -ip 3881⤵PID:2336
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5dbfaba3a1329a0925530482cfd700b21
SHA1a6a8e5000c16ba28bea645bb456c101ca19e0a70
SHA25645289f096984e9af391cbe7b907866f25fbe9a419bd70e435d7ef041aefb7b9f
SHA5126bd296185dbf0aef232fa9f96d7377fd6f93dd6ccbd97ee3285732c0a897ba5ec60531845e538102fabc0cd5f7fad0c6f32f79ae88875aba58b5e52a4a3f983c
-
Filesize
17KB
MD562008374a494afeea2ee2ae9eee4c8c0
SHA194808fcf0748c437f4d7ffa4d540e054cb014fab
SHA2569c4affddfa97b268b07c00ac28a2fe617dda806bf55088ccf348da149ee76c1a
SHA512f584ed647b69ff8ff80450be8f0b267ebb3c97826dbf01d078165ea94b43afd1f00fc58b91d9e8f4d78465d70312c1b1a6ac66583ebdc009b0ce471a6cf149a0
-
Filesize
1.1MB
MD56482716b29a424ade699f29560302f5d
SHA14d56bac748e72ce98405a7509c2bb33efe06af59
SHA25672e73c6a03f37c7cad227b5940d9189a63a8729ef6199ffc068f7dc234ad583f
SHA5126c58c0e347d772e403ace72a644f395e7918907374fc557970aa617df823823427f8905bed819ac04c25d5280662c7c26e999931ea51800f8ee9f55c9b64f60d