951a38c17d7187bdcea72f42582022e05d2ec57e36354e810f2ac8e219b61e35

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
Size

102KB
MD5

09ad30e38f231b18e20e580c9c556d01
SHA1

d152a03f4e29e43fd31dce8353a639f94e74ca35
SHA256

951a38c17d7187bdcea72f42582022e05d2ec57e36354e810f2ac8e219b61e35
SHA512

7005ff4b392d05c853960c13ea9d90f9be03a12382593b8c479d1001d345dd442997b8efd86d4aa0e7a6389ee95d6c92d61df94a04f3d61206bd48e44f1669b7
SSDEEP

1536:yOF3OLr5Oi3hhOSmXjQXNhXm558NSY1WMk+LOBk8a9:DO/vwXwNhokSTZa9

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File created	\??\c:\Program Files\desktop.ini	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\msvcp140.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\msadc\msadds.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\keytool.exe	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\Services\verisign.bmp	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\Services\verisign.bmp	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3564	712	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09ad30e38f231b18e20e580c9c556d01_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 964
  2⤵
  - Program crash
  PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 712 -ip 712
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.9MB

MD5
adbdc25902d3137cf431628abafc4abd

SHA1
7638be26769f79ca041fdb8cd62f4d8e01dfe3cf

SHA256
2ebffff5df2f77ad0f10e1aeea9a3fcb08d4b9aa738dd66945168846b4169764

SHA512
c9d2f21d721d4bd000ea48f3880f11314ee9638588383518e3220f1357cf4f71009526a95b83c76fa3650afd0d733ba2db7d5984261b77915f73fa7e9c0ec067

Download Submit
C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit