3798aa4390f2bb172d0e30851bddc3c4a5885f3bfcffe1f4486b49bd46d966d8

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
Size

150KB
MD5

3c8168e216232d0f540bf5e6339be6c5
SHA1

f41598182b4247eca62d912c3e8c6a6620ca7206
SHA256

3798aa4390f2bb172d0e30851bddc3c4a5885f3bfcffe1f4486b49bd46d966d8
SHA512

5c9945b0e56590539f8518f5e083e9666cdd8155ced2f556bc52553ff7fcc25ef2c83b4e0696c36aaf6d37b7b176c1319f263da5fce5fd3582af49a5a9fc9b29
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZl:dkt0TSZkhWVvI+UupZTr5iSVrLmcE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	inlBE41.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	indA8D3.tmp
4552	inlBE41.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC052.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D6CF0E3D-9EC2-46AE-ADCD-4F831B0F3385}	msiexec.exe
File created	C:\Windows\Installer\e57bf0e.msi	msiexec.exe
File created	C:\Windows\Installer\e57bf0a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bf0a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	3076	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
4924	msiexec.exe
4924	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	4924	msiexec.exe
Token: SeCreateTokenPrivilege	1956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1956	msiexec.exe
Token: SeLockMemoryPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeMachineAccountPrivilege	1956	msiexec.exe
Token: SeTcbPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeLoadDriverPrivilege	1956	msiexec.exe
Token: SeSystemProfilePrivilege	1956	msiexec.exe
Token: SeSystemtimePrivilege	1956	msiexec.exe
Token: SeProfSingleProcessPrivilege	1956	msiexec.exe
Token: SeIncBasePriorityPrivilege	1956	msiexec.exe
Token: SeCreatePagefilePrivilege	1956	msiexec.exe
Token: SeCreatePermanentPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeDebugPrivilege	1956	msiexec.exe
Token: SeAuditPrivilege	1956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1956	msiexec.exe
Token: SeChangeNotifyPrivilege	1956	msiexec.exe
Token: SeRemoteShutdownPrivilege	1956	msiexec.exe
Token: SeUndockPrivilege	1956	msiexec.exe
Token: SeSyncAgentPrivilege	1956	msiexec.exe
Token: SeEnableDelegationPrivilege	1956	msiexec.exe
Token: SeManageVolumePrivilege	1956	msiexec.exe
Token: SeImpersonatePrivilege	1956	msiexec.exe
Token: SeCreateGlobalPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeIncBasePriorityPrivilege	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3076	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	86
PID 1044 wrote to memory of 3076	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	86
PID 1044 wrote to memory of 3076	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	86
PID 1044 wrote to memory of 1956	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	90
PID 1044 wrote to memory of 1956	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	90
PID 1044 wrote to memory of 1956	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	90
PID 1044 wrote to memory of 4648	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	93
PID 1044 wrote to memory of 4648	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	93
PID 1044 wrote to memory of 4648	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	93
PID 1044 wrote to memory of 4380	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	95
PID 1044 wrote to memory of 4380	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	95
PID 1044 wrote to memory of 4380	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	95
PID 1044 wrote to memory of 116	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	97
PID 1044 wrote to memory of 116	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	97
PID 1044 wrote to memory of 116	1044	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	97
PID 4380 wrote to memory of 3864	4380	cmd.exe	99
PID 4380 wrote to memory of 3864	4380	cmd.exe	99
PID 4380 wrote to memory of 3864	4380	cmd.exe	99
PID 4924 wrote to memory of 3348	4924	msiexec.exe	101
PID 4924 wrote to memory of 3348	4924	msiexec.exe	101
PID 4924 wrote to memory of 3348	4924	msiexec.exe	101
PID 4648 wrote to memory of 4552	4648	cmd.exe	100
PID 4648 wrote to memory of 4552	4648	cmd.exe	100
PID 4648 wrote to memory of 4552	4648	cmd.exe	100
PID 4552 wrote to memory of 1584	4552	inlBE41.tmp	102
PID 4552 wrote to memory of 1584	4552	inlBE41.tmp	102
PID 4552 wrote to memory of 1584	4552	inlBE41.tmp	102

C:\Users\Admin\AppData\Local\Temp\3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\indA8D3.tmp
  C:\Users\Admin\AppData\Local\Temp\indA8D3.tmp
  2⤵
  - Executes dropped EXE
  PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 264
    3⤵
    - Program crash
    PID:1196
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSBA2~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\inlBE41.tmp
    C:\Users\Admin\AppData\Local\Temp\inlBE41.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBE41.tmp > nul
      4⤵
      PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3C8168~1.EXE > nul
  2⤵
  PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3076 -ip 3076
1⤵
PID:4872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B746D011EE57EE7DE6BF83C2FF15DFC
  2⤵
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bf0d.rbs

Filesize
8KB

MD5
97391bcc921bc3a0e4b19e9c61e4c922

SHA1
12c9da9b69c24fc0cd46eac11ee7151948937ccc

SHA256
fcc334044b5e99af264607675ce310156431835f29a679e317d3539438dbbfd1

SHA512
623e67bc3fdad9a2e76b7868bdc5bbaf09720f4a56e85e69e158413b9cf4589a3e4c0fe857fab83f9c376e0649ff01b6423f399ad886044a0190b29a3dc5d0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSBA2~1.INI

Filesize
66KB

MD5
15f25466167bcb453cc34ad419bb83a1

SHA1
442125d7385aa65ce6eeb3bc3caefc0dbe84fa8d

SHA256
84470b560d6dca6b02e128983cbc6c94c4abe04a8525492ea86cdefff20ead75

SHA512
419ed4f3ab54c57f164ca9412402279886b707401ec07707cb6aa0ce8046b61c489f87a29c7eaf97af851461f74cfdecc0e268b76b30cde8188f2003f2c80884

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
4196660a5dbe6954a9b235d25281220b

SHA1
2c9e04d6930fd7f8e6b723b7e40f9b93a3625f9b

SHA256
5df91efead53300bc42594329ad0d98bf54a14bd3a0fe37ad7ed6be5b6686dac

SHA512
c95871edd4451ad75468d8da59daccd0e80ce917df08bbdc41242338c2faa4add465ea2814dc3357b1a7919567711686725f55f393f707ae4aa6bd7c204bfcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1044-31-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1044-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/3076-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3076-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3076-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4552-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download