97c57ce4bb199fbbd5343c93d81574bc0020a802127b38a38ea5452bced8e8ef

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
Size

171KB
MD5

df87e7b71373a004979e9f811c44fed2
SHA1

23066420e76e10b697c6df9b4a28c7a851581b8b
SHA256

97c57ce4bb199fbbd5343c93d81574bc0020a802127b38a38ea5452bced8e8ef
SHA512

75f35adcf5ba4b194abf0109355e0f51c33ffa02435e94b1ef09937db2e1f7296b14ff7f417c8d6ab0354a814e9097a4ed473aaca4b75bcc84d6017f9ee4f573
SSDEEP

1536:40nERoZtEEq3GcO6SmXjQXNhXm558NSY1WMtiDXUdeQw+8G3E+wxA6XFrY+:NnEOtEEqdXwNhokSTWi493E+DcFrY+

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000022767-5.dat	upx
behavioral2/memory/5072-3460-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	\??\c:\Program Files\desktop.ini	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\desktop.ini	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationCore.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationClient.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Primitives.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\j2pcsc.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Primitives.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Input.Manipulations.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\JoinShow.aifc	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Internet Explorer\hmmapi.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.IsolatedStorage.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\WindowsBase.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Controls.Ribbon.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.CodeDom.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Design.resources.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Royale.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Quic.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.SystemEvents.dll	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui	df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4944	5072	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df87e7b71373a004979e9f811c44fed2_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:5072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1008
  2⤵
  - Program crash
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5072 -ip 5072
1⤵
PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
284KB

MD5
ccace11d2943c34dc647789351c846c8

SHA1
083304a6d653f3dada8f92eb673ed5aada4d903d

SHA256
e5a7971cd46897d9854c06fb79210dbcaea21aaa9af70152444ddfb3edb06070

SHA512
e03305112124832358dad2ee28e0e4f322bc64bbe3e4ba9658bc4683332858e975c5b57db35502ef73cc26404f5335708fbd4e851e6ef09a4da97399c40040c4

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/5072-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5072-3460-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download