c4aa82dbb65fb909d84bee0d7afc1e8fe095621cfbc4ca2963ae7e68d4608d14

Analysis

max time kernel
92s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
Size

10KB
MD5

1c1ec7eadb759f40f59e86572efa6dac
SHA1

ab97f6c16709f12d7c0a2f5a6d2124d553c845c7
SHA256

c4aa82dbb65fb909d84bee0d7afc1e8fe095621cfbc4ca2963ae7e68d4608d14
SHA512

33548d188ffd338b3b7d334011f2b0f90347c6ad87cbfbcac1033849c946d76a6ff8dc4b42cd995c2b052c9335b54ce2051a85b9fb81f27b4bd08265a2d58c29
SSDEEP

192:VM7lkqCyqT8SJkD22413UA9O6E5GrPTH3oF8nGvHUNCp1/rM+:olDCrkK2EkAs6EGrPDYOnGvHUNC3/rM+

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2380-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000800000002276d-5.dat	upx
behavioral2/memory/2380-316-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-347-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-828-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-1218-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-1701-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-3602-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2380-3932-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\desktop.ini	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\desktop.ini	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ext.txt	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationCore.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\WindowsFormsIntegration.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\PresentationFramework.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.OpenSsl.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\WindowsFormsIntegration.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.Watcher.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\classlist	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jar.exe	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClientSideProviders.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationTypes.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ba.txt	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Sockets.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Input.Manipulations.resources.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.ResourceManager.dll	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\pt-br.txt	1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3436	2380	WerFault.exe	84

C:\Users\Admin\AppData\Local\Temp\1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c1ec7eadb759f40f59e86572efa6dac_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 940
  2⤵
  - Program crash
  PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2380 -ip 2380
1⤵
PID:4232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
123KB

MD5
dc4c0c2ed7e1011f5117873d0a21ce6f

SHA1
6d733709af19a6f31b98f333bf86f6369bb0fa8d

SHA256
75bffc26a51f5783391987cd16b8fc401dc3cbf0fd56369c0df1b519844ef6b5

SHA512
9a8d3e3b72d6afca0ab6a81908fd04f08c371d30b1b23655d78050527508ca49ace1d901748e573128034626413f65d5fa2bb324598a8dfc6ca11434a698e28f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-316-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-347-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-828-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-1218-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-1701-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-3602-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-3932-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download