d9d855847fb7bb8486266010286d403a20b7d267e613e37bbfa58bda2f4426be

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe
Size

185KB
MD5

8ad4bf941fd3db9659915ac3ad4bd442
SHA1

71b6f2f4eba92face6f5fa01178252e222c783f8
SHA256

d9d855847fb7bb8486266010286d403a20b7d267e613e37bbfa58bda2f4426be
SHA512

eb91e7dafb39385f0dbef564b88ae69b522f3a612770ee721f8635e6ced209de8efef9df6f7b803829a3ab5e42b7137e6569056662bc4efa75243fbe78bbb2b6
SSDEEP

3072:cX7DItrfaocyTgfsqQOlJiqHC4h7+2iSAXs0bqHV385GUO2yem692EfjkHK8qLOk:csaocyLCizkitXjm1385GUO2yemq2Erb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	inst.exe
3704	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	inst.exe
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3704	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe
3704	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4544	3012	8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe	85
PID 3012 wrote to memory of 4544	3012	8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe	85
PID 4544 wrote to memory of 3704	4544	inst.exe	89
PID 4544 wrote to memory of 3704	4544	inst.exe	89
PID 4544 wrote to memory of 3704	4544	inst.exe	89

C:\Users\Admin\AppData\Local\Temp\8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ad4bf941fd3db9659915ac3ad4bd442_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\inst.exe
  C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\inst.exe 50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe /dT131500740S /e5363260 /t /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe" /dT131500740S /e5363260 /t /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
2af2f004964305bf23851712c21ce9c0

SHA1
ad992b90510eaeb833a8a6de538dfe667a92f2e0

SHA256
b00391642165d4b3c50f5723bb5e9bfb00076a96fe344c542286f7a2e8e0f59a

SHA512
a15ba4f4ef935e6c5a58d5fa5521514de65d9d1dc1c24bc25e16130309c66791ec087c7b26cab19af9e57381a818890c494e4af935220db40ebecb689c9b3e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
4842e206e4cfff2954901467ad54169e

SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_CC1689C2A9A5CB35265F3C2516751959

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
b1aecdfc26978df6f5be31e66ecc2347

SHA1
d8927d89db75977853b3b03c84e1745c856112f3

SHA256
ede19adf9f749a6f8b5015c32bc8b878f24e2699798a7e25c2f2ee1d4d25f94e

SHA512
9fdb4f0d9573bbda11c4838fe45a758e627b7e6354caa1d2bea7d885744413b437c34080de4304f28219dafdab381d891396a7bac507343350cf3043a62c0f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
2fe6ec15c2b12d9ef1f6f89fab90b7f9

SHA1
b541d4060153e91c0a4864e3b0016735906ceed0

SHA256
ab7717eba62272ed3176358e878d1afd12728ecddf5396581b8610bc5b94158a

SHA512
8ca9b70320f1d855845ecd9d3c4109132c76eda6ce1415dd988c772ed064b59f6d542358bf693cdb5e606fbe18602d1dcf0439d7850043efe5db161b673815b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
9d1f0e0d69e3c0bea21eb18b0fac27a1

SHA1
ec48ddc87ac5c6a6e101143f9db64964423b71ad

SHA256
9b9f2c3c948e6341fe477a69e0f51c4725cf3dcd7358707215904ab7587bc7e1

SHA512
5e54ee36a822808a1a2cc34ea308c128b5892f37bcccfedb1416edfc72d71b72340de299a06c8872300ea591073c2e75a6eea93175f6b8a04afacb084dcaf559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_CC1689C2A9A5CB35265F3C2516751959

Filesize
482B

MD5
b5cfdbd72b18d474cdd13fe689b8e795

SHA1
6fb2ce6687023294eacdce9e17b473a5c5cfe4b7

SHA256
6ec9fc6f4d272eac14230aab2c421ef3aeb1905750631691dda23efbfe984c36

SHA512
cec77a709ff5ae907c219eaf4081ef15c6e854e6cbce07492441df8ee76f088e18c178b61986b0d036c142046140d4d780711fb4bd14d61b09642746a5c52fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Filesize
165KB

MD5
5906fff7fee2292644f3769e7acb5752

SHA1
af80075ab73575aa0301736a08430ddd30a45e99

SHA256
68a6bb6d526ee914542940174b38cf8fa166d35f8e4bb4d49bd16065cb1f46d7

SHA512
d4e6c9be580a292700da3178dfa4979e9e93853b477e9ccecb0ec093cc3ed86174e9f11ae940c4c65d7f2b6e1444aefc8efd0cbf6384a179c96d0a07c7419583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\inst.exe

Filesize
144KB

MD5
78c9beb846f7a1355f12474d880b2cfd

SHA1
dbb8ccf9114e97c1deb4da021863997d228ed04b

SHA256
b7ad932609760e6e4d8254d83b25d00a9114b112f77276c096ad8d62de6aff4e

SHA512
8b6722f6355b2cacccab6302ca141be7d082e3a1fef37672a06a8f5d25d7bc04fb6e64f79554a80cae9477d8d6c6d2045e7a6833bf142c4692c194fe0cb65987

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4306.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/3012-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3704-43-0x0000000073E40000-0x00000000743F1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-42-0x0000000073E42000-0x0000000073E43000-memory.dmp

Filesize
4KB

Download
memory/3704-57-0x0000000073E40000-0x00000000743F1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-41-0x00007FFB96020000-0x00007FFB969C1000-memory.dmp

Filesize
9.6MB

Download
memory/4544-29-0x00007FFB96020000-0x00007FFB969C1000-memory.dmp

Filesize
9.6MB

Download
memory/4544-25-0x000000001BE60000-0x000000001BE80000-memory.dmp

Filesize
128KB

Download
memory/4544-10-0x00007FFB96020000-0x00007FFB969C1000-memory.dmp

Filesize
9.6MB

Download
memory/4544-9-0x00007FFB962D5000-0x00007FFB962D6000-memory.dmp

Filesize
4KB

Download