a81b17abad6f4d55fdd83bcd2a0b94fea3513c240b9fc82d4a6db325fcbad640

Analysis

max time kernel
95s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
Size

224KB
MD5

307dd7e5136afdf736b43a74b81a413e
SHA1

155ebb644c0ac3b30865aa26b1ca883bce3b8a60
SHA256

a81b17abad6f4d55fdd83bcd2a0b94fea3513c240b9fc82d4a6db325fcbad640
SHA512

1ca1f2bcbe1d14a52bcafcdb01624cc5efad8be7b5998332f5def68b09ebd9771047007a370925b120438f0e7c4583fd3df8c18059c8697d700d507dcf6b30e5
SSDEEP

3072:rb8IM9D5woXXreupOnXY8/ZnLSpWKaIWHnDFoo97pzJ+nYkOCwynsVvRokCB/bnv:0IUWJlfQw+oJpzmfwssLJC5opH9DH3zc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	inlB613.tmp

Executes dropped EXE 2 IoCs

pid	Process
2196	ki1AC3E.tmp
3516	inlB613.tmp

Loads dropped DLL 2 IoCs

pid	Process
3060	MsiExec.exe
3060	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57b71b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB834.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB900.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e57b71b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	2196	WerFault.exe	87

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	4612	msiexec.exe
Token: SeCreateTokenPrivilege	3904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3904	msiexec.exe
Token: SeLockMemoryPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeMachineAccountPrivilege	3904	msiexec.exe
Token: SeTcbPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	3904	msiexec.exe
Token: SeTakeOwnershipPrivilege	3904	msiexec.exe
Token: SeLoadDriverPrivilege	3904	msiexec.exe
Token: SeSystemProfilePrivilege	3904	msiexec.exe
Token: SeSystemtimePrivilege	3904	msiexec.exe
Token: SeProfSingleProcessPrivilege	3904	msiexec.exe
Token: SeIncBasePriorityPrivilege	3904	msiexec.exe
Token: SeCreatePagefilePrivilege	3904	msiexec.exe
Token: SeCreatePermanentPrivilege	3904	msiexec.exe
Token: SeBackupPrivilege	3904	msiexec.exe
Token: SeRestorePrivilege	3904	msiexec.exe
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeDebugPrivilege	3904	msiexec.exe
Token: SeAuditPrivilege	3904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3904	msiexec.exe
Token: SeChangeNotifyPrivilege	3904	msiexec.exe
Token: SeRemoteShutdownPrivilege	3904	msiexec.exe
Token: SeUndockPrivilege	3904	msiexec.exe
Token: SeSyncAgentPrivilege	3904	msiexec.exe
Token: SeEnableDelegationPrivilege	3904	msiexec.exe
Token: SeManageVolumePrivilege	3904	msiexec.exe
Token: SeImpersonatePrivilege	3904	msiexec.exe
Token: SeCreateGlobalPrivilege	3904	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeIncBasePriorityPrivilege	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3516	inlB613.tmp

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	85
PID 868 wrote to memory of 3212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	85
PID 868 wrote to memory of 3212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	85
PID 3212 wrote to memory of 2196	3212	cmd.exe	87
PID 3212 wrote to memory of 2196	3212	cmd.exe	87
PID 3212 wrote to memory of 2196	3212	cmd.exe	87
PID 868 wrote to memory of 3904	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	91
PID 868 wrote to memory of 3904	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	91
PID 868 wrote to memory of 3904	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	91
PID 4612 wrote to memory of 3060	4612	msiexec.exe	94
PID 4612 wrote to memory of 3060	4612	msiexec.exe	94
PID 4612 wrote to memory of 3060	4612	msiexec.exe	94
PID 868 wrote to memory of 1212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	95
PID 868 wrote to memory of 1212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	95
PID 868 wrote to memory of 1212	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	95
PID 868 wrote to memory of 1168	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	97
PID 868 wrote to memory of 1168	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	97
PID 868 wrote to memory of 1168	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	97
PID 868 wrote to memory of 2384	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	99
PID 868 wrote to memory of 2384	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	99
PID 868 wrote to memory of 2384	868	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	99
PID 1168 wrote to memory of 4920	1168	cmd.exe	101
PID 1168 wrote to memory of 4920	1168	cmd.exe	101
PID 1168 wrote to memory of 4920	1168	cmd.exe	101
PID 1212 wrote to memory of 3516	1212	cmd.exe	102
PID 1212 wrote to memory of 3516	1212	cmd.exe	102
PID 1212 wrote to memory of 3516	1212	cmd.exe	102
PID 3516 wrote to memory of 3112	3516	inlB613.tmp	103
PID 3516 wrote to memory of 3112	3516	inlB613.tmp	103
PID 3516 wrote to memory of 3112	3516	inlB613.tmp	103

C:\Users\Admin\AppData\Local\Temp\307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\ki1AC3E.tmp
    C:\Users\Admin\AppData\Local\Temp\ki1AC3E.tmp
    3⤵
    - Executes dropped EXE
    PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 264
      4⤵
      Program crash
      PID:2052
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insB269.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\inlB613.tmp
    C:\Users\Admin\AppData\Local\Temp\inlB613.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlB613.tmp > nul
      4⤵
      PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\307DD7~1.EXE > nul
  2⤵
  PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 2196
1⤵
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5BD178172236CF7E04A86115FC77AB28
  2⤵
  - Loads dropped DLL
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
b0ece4253aa722df42dd4104202d1d6d

SHA1
47f045de6447299e729c37d3fe5928b47b7cc7d3

SHA256
b6247cf57ce070d0dfeb368737bf2f45613b6baad51e9247c55ae91a6e567b99

SHA512
e3dc5547c2503c4ef467b9f31f4e08997d57901321fd42f04f9b0c23bc3eddc12d3134a098fd36e92c510946fc4a97ad9087be3822dabf57c5a02aeb92a52fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
398ca15c3f30581ac53e87d8879f1890

SHA1
1ed7d8983699c086c3b4f1149c9472b3fb0a2fcb

SHA256
fed04c78023aaa0d5491a85dd997694c75095dcbd8c2e24045586d92de26bfa9

SHA512
f043154889dba4d445d94c813995057838bd8126e93b9e845b397a783831a8f25912dba44fca349870ae5b0270f1440b264e7f3a14b29274c744dbd264ba1560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\Installer\MSIB834.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/868-45-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/868-44-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/868-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/868-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/2196-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-13-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2196-12-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3516-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download