e6ea3c1ca861b57d28f485fffd9bb8dd08c4480ad4c993aeb50fd8576aceeab5

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe
Size

64KB
MD5

3841fd589b5c6de1277443f8ac20880f
SHA1

21cb0e0faa3691cb70bb1aae8cfae1ff1d461e01
SHA256

e6ea3c1ca861b57d28f485fffd9bb8dd08c4480ad4c993aeb50fd8576aceeab5
SHA512

c24dc1865187a2f950080e915efb98af1534803d27c96905858cf81cd7f76ef825333124d91017f61ab07b1afb5868edfbb80c344b2638740475c7007a2c19c3
SSDEEP

1536:ygVfaMlet+QcLAvQNgRizP4BC15p/RckwDU:vwMlbhLPK7Bg5p/LuU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	inlCBCA.tmp

Executes dropped EXE 1 IoCs

pid	Process
2148	inlCBCA.tmp

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\D:	cmd.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58ccc1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58ccc1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A87A31A5-3C05-47C2-A075-36B4FF6A9858}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF80.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ccc5.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3576	msiexec.exe
3576	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1336	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeCreateTokenPrivilege	1336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1336	msiexec.exe
Token: SeLockMemoryPrivilege	1336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1336	msiexec.exe
Token: SeMachineAccountPrivilege	1336	msiexec.exe
Token: SeTcbPrivilege	1336	msiexec.exe
Token: SeSecurityPrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeLoadDriverPrivilege	1336	msiexec.exe
Token: SeSystemProfilePrivilege	1336	msiexec.exe
Token: SeSystemtimePrivilege	1336	msiexec.exe
Token: SeProfSingleProcessPrivilege	1336	msiexec.exe
Token: SeIncBasePriorityPrivilege	1336	msiexec.exe
Token: SeCreatePagefilePrivilege	1336	msiexec.exe
Token: SeCreatePermanentPrivilege	1336	msiexec.exe
Token: SeBackupPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeShutdownPrivilege	1336	msiexec.exe
Token: SeDebugPrivilege	1336	msiexec.exe
Token: SeAuditPrivilege	1336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1336	msiexec.exe
Token: SeChangeNotifyPrivilege	1336	msiexec.exe
Token: SeRemoteShutdownPrivilege	1336	msiexec.exe
Token: SeUndockPrivilege	1336	msiexec.exe
Token: SeSyncAgentPrivilege	1336	msiexec.exe
Token: SeEnableDelegationPrivilege	1336	msiexec.exe
Token: SeManageVolumePrivilege	1336	msiexec.exe
Token: SeImpersonatePrivilege	1336	msiexec.exe
Token: SeCreateGlobalPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3660	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	88
PID 3544 wrote to memory of 3660	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	88
PID 3544 wrote to memory of 3660	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	88
PID 3544 wrote to memory of 1336	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	90
PID 3544 wrote to memory of 1336	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	90
PID 3544 wrote to memory of 1336	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	90
PID 3544 wrote to memory of 3608	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	93
PID 3544 wrote to memory of 3608	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	93
PID 3544 wrote to memory of 3608	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	93
PID 3544 wrote to memory of 4388	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	95
PID 3544 wrote to memory of 4388	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	95
PID 3544 wrote to memory of 4388	3544	3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe	95
PID 3576 wrote to memory of 4536	3576	msiexec.exe	98
PID 3576 wrote to memory of 4536	3576	msiexec.exe	98
PID 3576 wrote to memory of 4536	3576	msiexec.exe	98
PID 3608 wrote to memory of 2148	3608	cmd.exe	97
PID 3608 wrote to memory of 2148	3608	cmd.exe	97
PID 3608 wrote to memory of 2148	3608	cmd.exe	97
PID 2148 wrote to memory of 1760	2148	inlCBCA.tmp	99
PID 2148 wrote to memory of 1760	2148	inlCBCA.tmp	99
PID 2148 wrote to memory of 1760	2148	inlCBCA.tmp	99

C:\Users\Admin\AppData\Local\Temp\3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3841fd589b5c6de1277443f8ac20880f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MSV\nvsC7D1.tmp.bat" "
  2⤵
  - Enumerates connected drives
  PID:3660
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i \B5L.msi /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\inlCBCA.tmp
    C:\Users\Admin\AppData\Local\Temp\inlCBCA.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlCBCA.tmp > nul
      4⤵
      PID:1760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3841FD~1.EXE > nul
  2⤵
  PID:4388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C46C726C885E24F40C70120574DAE93
  2⤵
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58ccc4.rbs

Filesize
8KB

MD5
5164baf486511f6037bb3f8f2c9822a4

SHA1
401cc41a9d1cbc738759773da3399bf797c52af2

SHA256
f6d762434f5edb9d54ba7888f620aae0a153d916e60b8899174690e67708e8bc

SHA512
2846ea0757883bb7b793558da4031e84eaa5704bc37713bb17959c491c816ff08be503a6148b82b2c7fa78562f7ecbd7461bd567d07592f27446266605081da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
ae6343c8a1c3d95e407b92764d9c8f1c

SHA1
36f46207906e0f65bfa37f47cffdd0f45d8fe237

SHA256
c7f45a8ea96606a96dc9ad099f9904909d84a2f499af134295e420bdfffbc681

SHA512
74fa2b29512d4b3c3db1a58bd4e6984e40dcb743efc089c9fd28132687118c3612fd8dc484ac94d1617ce95b33067e37ecbe1fae99de91a5bcca7a70198b9d24

Download Submit
C:\Users\Admin\AppData\Roaming\MSV\nvsC7D1.tmp.bat

Filesize
2KB

MD5
deca4391df0c2dc0b47708dc2b9be3ba

SHA1
ed44586716bf7de353b6935eacacdf995c6b4d42

SHA256
d235475bbd0f8228b8dec5131c435ccb2506594f8931b1910c7d62aa1e5cbe67

SHA512
80a030033d643698493f1bec74c8655c453fb4b2c556fec854a811870bfeea47abd60a4f9b169d414ab9619dbde8ba6ec45200160542972fe7a531ee09784bb1

Download Submit
memory/2148-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3544-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/3544-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-7-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/3544-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download