b0973be514affc90b3688b682f920971c971ce0ae9fea63ceb4bb8f578af513f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
Size

810KB
MD5

fdc40a3afb2ab6e08df0d5ff34b91f04
SHA1

67133afc0af5cb9f43d33b59ac584d3e45f7d693
SHA256

b0973be514affc90b3688b682f920971c971ce0ae9fea63ceb4bb8f578af513f
SHA512

b4b744d1809b766900d261c994c3d69fd257ad44efcb06db6c74de790d7a05a844c05f0504ffa14fbf0cdbcabdc0b4e71bef86830af65151b3035c30329f5777
SSDEEP

12288:3ryF6F/aLMm54G2nCEDzdAgvD9jSG8cyOyG2XCRVtRhnCTBRy8pRYAqN:37ILMm54GXU+M8cyOyGWCpnV87vqN

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\desktop.ini	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\desktop.ini	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mk.txt	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\msxactps.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\mraut.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\zip.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\et.txt	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\LICENSE.txt	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2732	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdc40a3afb2ab6e08df0d5ff34b91f04_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 464
  2⤵
  - Program crash
  PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2732 -ip 2732
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
2.5MB

MD5
24ebacb31b0fd84d477c7f50d52edeba

SHA1
fa87db9a1e38f5efe35cbbadb67fecd104c3d7d3

SHA256
5b55c625579408cb271d5ba85d647e23b29186319ee7193f024415e9703eb072

SHA512
1da387c2ad04eb13003a7d97c0d158c61af7fe11da9fef7952849bee19ad4a711fd6f2399737a3d038ee377493058b820ab0f08d105a053289add93c0129d072

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/2732-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2732-2035-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download