23a8d5cbed2d324800423cea1de9357756ce372f22693ea8b482f43ea6c4ac37

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe
Size

428KB
MD5

07b38e44001f4972d3a4bf2f552bc670
SHA1

dabb70223b608824edbe8e528fbe5b79db16e96f
SHA256

23a8d5cbed2d324800423cea1de9357756ce372f22693ea8b482f43ea6c4ac37
SHA512

541be40c3436cdf88ac007cdab6a551d5443862300a90dea00a0ebfe9fd7b7eb4f3980791cf16db29d33f525272f2f92f758af8474d6497d127d8060361161fa
SSDEEP

6144:psaocyLCxcfyuO4+iX7nC+pQ8l1jYoVr+/mYOP3JkLXXKaJ7JQ87DbximefUgudM:ptobKr4jX7nCGQiZUqkr887DFincgum

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	inst.exe
4576	installer.exe

Loads dropped DLL 1 IoCs

pid	Process
4744	07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe
File created	C:\Windows\assembly\Desktop.ini	inst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	inst.exe
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4576	installer.exe
4576	installer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2856	4744	07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe	82
PID 4744 wrote to memory of 2856	4744	07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe	82
PID 2856 wrote to memory of 4576	2856	inst.exe	84
PID 2856 wrote to memory of 4576	2856	inst.exe	84
PID 2856 wrote to memory of 4576	2856	inst.exe	84

C:\Users\Admin\AppData\Local\Temp\07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07b38e44001f4972d3a4bf2f552bc670_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\inst.exe
  C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\inst.exe installer.exe /dT132171019S /e6132210 /u50ae11c5-fa08-4f10-be2a-04b05bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\installer.exe" /dT132171019S /e6132210 /u50ae11c5-fa08-4f10-be2a-04b05bc06f2f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12236C41CDDF9E40BA5606CDF086B821

Filesize
76KB

MD5
097d76e6b055fc0c063e918a7ed89f5d

SHA1
2502a66e57832ed52f1d2236a711e78723f1ddaf

SHA256
c2c47a3c7d7d2a5a4061945a6babc7d289f394b08814f105153bdfd54114b485

SHA512
0d1bdfb0c70eb0b47c9834ddd15b8cae1e7f246e9a149fee1bcedbe44649262176e56d52ce4e255189ad58d2a8591b42d8c8c848a7029ad22e8ac858c712a0bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
3a0e39c53630ecfc2720aee27fe32557

SHA1
ce9b2fbd4efce495b07ac98b4cb54b12dd3cf3c0

SHA256
18da8779683e3e688ac75a896d738eb4e958763e153e56cb06432bafd3d6ef38

SHA512
3598a8fa245b68d4ea236355c00c80710105704efb08e889edea0afd79e079224083c0d034e6b2454189bb8057ea9037ae48e0791bc5b6c54a4af90541fda166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12236C41CDDF9E40BA5606CDF086B821

Filesize
202B

MD5
0f8c9f8037251a7e0f0e6cd9aaa1c7e6

SHA1
f826bc7e38ae22e55610b38b62279d2b22b79930

SHA256
fe94d8143c872c2feab556d4c58f82f59694c703ef9a91812411c95bc8891e53

SHA512
a2db7e92d97f013736257b99aa4664c2b29991919c01e6fecc8a99f2bd1b8c25f0b2afd268b459ed094000682b8a4ef832560c2658be2a4c6a8158b9619fda2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
f3e094017171173650f04d93123dd349

SHA1
a8348d714626ef365a58d11eb54f068c28f9b9aa

SHA256
2e25531b992d0e06972b9e4b8dfdf92c2e76e602642689d1cc0dd85f52f3a108

SHA512
e5ad28e56efb75eb8063d1b4358d6250a9edb2ab64b3abbd0c35825eb3ef3bc2d19d33e8d83464d3dcdaaab59fca22f45c5807aa8aaf1a37f889c6865eab45b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
039b9b2659c2c8fe816c7fea0dd7a848

SHA1
91ad88bbca755a03b5ca4b1bb9d0b2c6ff5546b0

SHA256
c24dd5d69bf456d3bfc15efa50a7f18235e8f65ecdcd090b736aef683e84bfa0

SHA512
52867a2e24651791d5331fe30d3b385f08d7c438799037578aa37fd574e974095148cd4a31836e784e9326e50d98d39055352bd6626f7ae1385a1926d1377494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
68d6847bdfab728ff562be4931d7bbcb

SHA1
d4202e8da6df11942cc23ae6311c87ebbe39d65a

SHA256
87df67519c700ae3dd8797653c8893408928fb23b16427e39df5717c0c9b05c9

SHA512
0f1a2dc0df1a61c6cf498a2b9db34efb5c562139a75c587ead9165cabd8e0dee0c07b6afcae4c6c8e199e366df6cf2f412a42496ed4f905a7f85f72d607500d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\inst.exe

Filesize
175KB

MD5
ecef08b48d655495922474ce5fdb0b3b

SHA1
37db28981e315ba34fb72e5fabfb2c2ade2a7aea

SHA256
1823f6ca026972810a09a61d2ca41aeda650c4bd7a7bbba010e08895eb949fac

SHA512
65fd89715af68b36860194affa710812ed638ca826a269fc39500997ace3f4284c8bfbe08d7dd623490fc83896c155f0d5f0ae8a5f78b07ec7d3203e9a8fe371

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\installer.exe

Filesize
240KB

MD5
2a32421cd95e14068c3bc70c585f7263

SHA1
b829fabcdb581cbc17ba4fb76486690a1ffd3f37

SHA256
a720c4ce7d6899efbcb350d76c308f8b305458ba44fddd289c159b5fc6311601

SHA512
42fc091ef2b54b100de0b924b7d6415aeb64f86dc7f542ab49d629af4fe813e4233ad4ad48c8acce83c6e71771a65d52c15ee787ae90b85e78707fb427955039

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz923F.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2856-32-0x000000001CAC0000-0x000000001CAE8000-memory.dmp

Filesize
160KB

Download
memory/2856-48-0x00007FFE63890000-0x00007FFE64231000-memory.dmp

Filesize
9.6MB

Download
memory/2856-36-0x00007FFE63890000-0x00007FFE64231000-memory.dmp

Filesize
9.6MB

Download
memory/2856-11-0x00007FFE63890000-0x00007FFE64231000-memory.dmp

Filesize
9.6MB

Download
memory/2856-10-0x00007FFE63890000-0x00007FFE64231000-memory.dmp

Filesize
9.6MB

Download
memory/2856-9-0x00007FFE63B45000-0x00007FFE63B46000-memory.dmp

Filesize
4KB

Download
memory/4576-51-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4576-50-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4576-49-0x0000000074762000-0x0000000074763000-memory.dmp

Filesize
4KB

Download
memory/4576-65-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4744-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download