cad72d1d5aec829038a3206a3e5d55f33d2238d65541e7e660597be0c047d1cc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe
Size

254KB
MD5

7e509afa2b8425b8c9618ccf20ca1f67
SHA1

1668fa3e73cbc91b3ccdf5d8977e16ca201d3ce2
SHA256

cad72d1d5aec829038a3206a3e5d55f33d2238d65541e7e660597be0c047d1cc
SHA512

ce5d596f194f306ff34ffb410e0676b1fc235b3f77d70ee60fe96603b95720275e9ce29915d5dfe741ccbd4ac7dd4b73147c799c481947a1db4f3094c458f311
SSDEEP

6144:FsaocyLCXr2QxeUPpbNdV0g74E/hJQAjDUfK9uX/:FtobcygeMp/OuLPQwQLv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 2 IoCs

pid	Process
4524	installer.exe
2688	ins.exe

Loads dropped DLL 1 IoCs

pid	Process
3284	7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	installer.exe
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	ins.exe
2688	ins.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4524	3284	7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe	81
PID 3284 wrote to memory of 4524	3284	7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe	81
PID 4524 wrote to memory of 2688	4524	installer.exe	86
PID 4524 wrote to memory of 2688	4524	installer.exe	86
PID 4524 wrote to memory of 2688	4524	installer.exe	86

C:\Users\Admin\AppData\Local\Temp\7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e509afa2b8425b8c9618ccf20ca1f67_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\installer.exe ins.exe /dT201305141625 /e5106646 /aSCANIA /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\ins.exe
    "C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\ins.exe" /dT201305141625 /e5106646 /aSCANIA /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12236C41CDDF9E40BA5606CDF086B821

Filesize
95KB

MD5
73c91338ca3968d94fa15ec72f5ad251

SHA1
106c43de5262e43c3fc2f1585d53e51a1cbb6ba2

SHA256
e62b5df07c0a54845940cf6105745077411cdd6e308553ac2dedb0006c521453

SHA512
d6dd958ced6dfab683cf9a7e1875a3f614b2328d5281825ee5ef188483001b6f9365cdabc42c81b36d78bba0609d2223e2906d5f7c4505f4b1599137d12e8027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_D73FEE3C4E574541538B35CF985ADB66

Filesize
5B

MD5
4842e206e4cfff2954901467ad54169e

SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12236C41CDDF9E40BA5606CDF086B821

Filesize
202B

MD5
75f9357ff5a68ad1a0053679db0df165

SHA1
d44a437052895e39ac83136bd8de0312fc2204c1

SHA256
f10438b248914a66ab4a81fcbd4862a779eeaaf7f89bbae22ed8ea74ad99ceba

SHA512
f111075d4e7406e1597f111ddfbd71c401ebcec02a11eda2c324ba1a63e93699d24f57b2d6f70fe7bf64ec7ac27f104e0041af90b7ab57bafba24ccbc7dce2f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_D73FEE3C4E574541538B35CF985ADB66

Filesize
490B

MD5
60d164e7562a6874907ea8249bfe7757

SHA1
27fc3aa0bf0a5df588dc3987863484d8bf79cd27

SHA256
dc712d1de6ba33df399f6fcd3aafb1453ed6d2dd8e216c151b73128cb72d607d

SHA512
a02135f4425fd2b1832e3acd8ee4b054c478cff296e16a0276c85dbfd5823d8c6245eba0b8507b79971a1884e8175867742cb8f7edbaa43c9842ef5b555a2ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
3c850774b5a313054505b377da7b3942

SHA1
83cbf0198d4eca248b561dcca0275b680be4c4bd

SHA256
9452afc63615e5c004d404a76428227ff3ab70caab444b314c8f3494b60755e2

SHA512
2d420dd4da33f3a1c57f69120d19b5939f7275e61e1e20b1eb6a65b3e0c116b31e514ec691ab7699fada710ca62317e91f59a85b70ea4ae547cb4e959f4acf59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
25cbcd79e6ae8d8c10a1b91ac13417da

SHA1
1ba005176102836fb37395926d95dc9ccd67fedc

SHA256
5b3106481e9713e69de6624b92a820c846d5ed1c8802a2e5f03adeaf121ae086

SHA512
30551848dc0ae6999cabd6d56b52c7af7691d5ed3359023501bfd2fb957a994d2a7c0ad450dbffcc7dd81d95cbe7e2a863944ab72d81fbbb20a0d0f0763c7513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
3f2ca71ebb47d85dd1e5c3a73ebe7432

SHA1
24996dab7a165abe6b4c3d993d60a76f12c8b8ec

SHA256
4a25f77fce93f7b676966965cb8e3688e8b9e5980dbaf57ce52611092e2852de

SHA512
f4b99ce453bcb36a65334caa7268f441ec6c0df97d64bb421b2ef1f913927e9357a332a72b7de38b83d66bf0c9c481a0472ab014ebc828f886e046d83e97df86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\ins.exe

Filesize
155KB

MD5
150c2ea75d37ed3111f503adc5b6edb8

SHA1
87b2e37738818ddea292699ae26b2ac291ff1e7f

SHA256
cdaff7706a3c4d46ae4afdfd675fce9b06bcdbe616073b92dc28fbf58c0b6adf

SHA512
bcf0e1401d2f31b9bbd93bd3005716419c832c467fb76c21e40195ab38847022db387de49b4c7494780f04c511138631e2d8e1ac0e241bb835771bec72b815db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\installer.exe

Filesize
198KB

MD5
7950260db65cd017c5cf1b925d2fcd83

SHA1
6695ec132f781e2cabf880fe25068cbe0a75a761

SHA256
2b18da136c09287e5a8e29821b1301e11bfd0a8c7d5633b63a115681adbc9edc

SHA512
ed98e20dc18c4fcb249d8a057cf0856d3cd48012218e95053672e8113c310e8f524b33139a6064e5593551e69b5db04a958bbda1a9aeca4b850b34a31e9f5356

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj372F.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2688-49-0x00000000742C0000-0x0000000074871000-memory.dmp

Filesize
5.7MB

Download
memory/2688-48-0x00000000742C0000-0x0000000074871000-memory.dmp

Filesize
5.7MB

Download
memory/2688-47-0x00000000742C2000-0x00000000742C3000-memory.dmp

Filesize
4KB

Download
memory/2688-65-0x00000000742C0000-0x0000000074871000-memory.dmp

Filesize
5.7MB

Download
memory/3284-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4524-46-0x00007FFE0FF60000-0x00007FFE10901000-memory.dmp

Filesize
9.6MB

Download
memory/4524-34-0x00007FFE0FF60000-0x00007FFE10901000-memory.dmp

Filesize
9.6MB

Download
memory/4524-30-0x000000001BC00000-0x000000001BC2E000-memory.dmp

Filesize
184KB

Download
memory/4524-10-0x00007FFE0FF60000-0x00007FFE10901000-memory.dmp

Filesize
9.6MB

Download
memory/4524-9-0x00007FFE10215000-0x00007FFE10216000-memory.dmp

Filesize
4KB

Download