3f695194d418fed5a3b84558cc23b7a568ef1224a4fb6c9c3b5a209383233d69

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe
Size

21.1MB
MD5

10a4341362b0e3e596a5936e32978e6b
SHA1

a014b912e092d48c6b02d584c3860620a86353dc
SHA256

3f695194d418fed5a3b84558cc23b7a568ef1224a4fb6c9c3b5a209383233d69
SHA512

a442f492d41db30bb19c4f91378ed5447bfb2bc5f71825b0151c65675d4245ce34dd1e6665e1539b0a634cc635383f831970783d04d95d35d85ab2c9fe583f66
SSDEEP

393216:JtUS4AqAW6WcDD0Xp9cB7yf9x1/l+LFKpbh6ay:0S4J3xvXpaAx1/l+Bch6a

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
1036	Game.exe
2372	FalcoGamePlayerSetup.exe
400	FalcoGamePlayerSetup.tmp
4300	FalcoGamePlayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Desolators\unins000.dat	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\is-3F0MG.tmp	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\is-U2E3S.tmp	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Desolators\is-3HQA9.tmp	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Falco Game Player\unins000.dat	FalcoGamePlayerSetup.tmp
File opened for modification	C:\Program Files (x86)\Desolators\Game.exe	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Desolators\is-D6O12.tmp	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Falco Game Player\is-TA1FV.tmp	FalcoGamePlayerSetup.tmp
File opened for modification	C:\Program Files (x86)\Desolators\FalcoGamePlayerSetup.exe	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Desolators\is-JTBN8.tmp	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Desolators\unins000.dat	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Falco Game Player\FalcoGamePlayer.exe	FalcoGamePlayerSetup.tmp
File created	C:\Program Files (x86)\Falco Game Player\unins000.dat	FalcoGamePlayerSetup.tmp
File opened for modification	C:\Program Files (x86)\Falco Game Player\FalcoGamePlayer.url	FalcoGamePlayerSetup.tmp
File opened for modification	C:\Program Files (x86)\Desolators\Desolators.url	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Falco Game Player\is-HGU3G.tmp	FalcoGamePlayerSetup.tmp
File created	C:\Program Files (x86)\Falco Game Player\is-U1DCN.tmp	FalcoGamePlayerSetup.tmp
File created	C:\Program Files (x86)\is-E1KAF.tmp	FalcoGamePlayerSetup.tmp
File created	C:\Program Files (x86)\is-48229.tmp	FalcoGamePlayerSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FalcoGamePlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FalcoGamePlayerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FalcoGamePlayerSetup.tmp

Kills process with taskkill 1 IoCs

evasion

pid	Process
4628	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
400	FalcoGamePlayerSetup.tmp
400	FalcoGamePlayerSetup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
400	FalcoGamePlayerSetup.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1036	Game.exe
1036	Game.exe
4300	FalcoGamePlayer.exe
4300	FalcoGamePlayer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 2444	5004	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe	82
PID 5004 wrote to memory of 2444	5004	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe	82
PID 5004 wrote to memory of 2444	5004	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe	82
PID 2444 wrote to memory of 1036	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	93
PID 2444 wrote to memory of 1036	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	93
PID 2444 wrote to memory of 1036	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	93
PID 2444 wrote to memory of 2372	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	94
PID 2444 wrote to memory of 2372	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	94
PID 2444 wrote to memory of 2372	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	94
PID 2372 wrote to memory of 400	2372	FalcoGamePlayerSetup.exe	95
PID 2372 wrote to memory of 400	2372	FalcoGamePlayerSetup.exe	95
PID 2372 wrote to memory of 400	2372	FalcoGamePlayerSetup.exe	95
PID 2444 wrote to memory of 3532	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	96
PID 2444 wrote to memory of 3532	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	96
PID 2444 wrote to memory of 3532	2444	10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp	96
PID 3532 wrote to memory of 4628	3532	cmd.exe	98
PID 3532 wrote to memory of 4628	3532	cmd.exe	98
PID 3532 wrote to memory of 4628	3532	cmd.exe	98
PID 400 wrote to memory of 4300	400	FalcoGamePlayerSetup.tmp	100
PID 400 wrote to memory of 4300	400	FalcoGamePlayerSetup.tmp	100
PID 400 wrote to memory of 4300	400	FalcoGamePlayerSetup.tmp	100

C:\Users\Admin\AppData\Local\Temp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\is-LAK5F.tmp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LAK5F.tmp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp" /SL5="$502C2,21705086,55296,C:\Users\Admin\AppData\Local\Temp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Program Files (x86)\Desolators\Game.exe
    "C:\Program Files (x86)\Desolators\Game.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Program Files (x86)\Desolators\FalcoGamePlayerSetup.exe
    "C:\Program Files (x86)\Desolators\FalcoGamePlayerSetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\is-3M525.tmp\FalcoGamePlayerSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3M525.tmp\FalcoGamePlayerSetup.tmp" /SL5="$C0040,2863771,55296,C:\Program Files (x86)\Desolators\FalcoGamePlayerSetup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Program Files (x86)\Falco Game Player\FalcoGamePlayer.exe
        
        "C:\Program Files (x86)\Falco Game Player\FalcoGamePlayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c taskkill /f /im rkverify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rkverify.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Desolators\FalcoGamePlayerSetup.exe

Filesize
3.1MB

MD5
8c4c9d5b7cef3375118313a577099b05

SHA1
a0979d04018644cee3b02a055fd226c3e1942a99

SHA256
5bc3e8290ee1c0ee5fffa7d883476ab763f05d9413c58d2916dcdcc34bd99adb

SHA512
10ec8dc36bd5384ba60b5ca411f2328017dd1ec425a257a148a02b4eeacf19a745347b98e61f2c0aa88ccca2a531ed8e47deda11616f56befed08e88a7c5bbe5

Download Submit
C:\Program Files (x86)\Desolators\Game.exe

Filesize
25.6MB

MD5
77f8f918ccb344f47efb8c8cab9bdb8b

SHA1
ff8f3f3c708f6eba7dcdb5dfa9a9f1194893409b

SHA256
6b63d2a0b00a1ae5a526e4360a162497f0d33db1616a8ba71e1c4f58bc5719af

SHA512
82238bda9cd81efce7b594f6abcedb14346d67516bd89728ba2391a980c5e52d3ff6d949f44956098617174b020235a09e3f7d4ca4f5f801bc3728dc49c76ff1

Download Submit
C:\Program Files (x86)\Falco Game Player\FalcoGamePlayer.exe

Filesize
12.7MB

MD5
b10e34e785d77fcdbd58d5c3d00dacea

SHA1
44257cb697cc51b3df6d93bcf3045d7b13eab06e

SHA256
bbd0d32968cf778fa350cf49fe7d6a64ee76989f6a18ff400480f0614aec529b

SHA512
64d9de67854186e0ea6e171f977595689991dc2a329ddab3f37442e1a1c981230f4267e1e49b4baee75ed2bd0e7cd7c4991d6f55a9f3c9611870e38e1df33afa

Download Submit
C:\Program Files (x86)\Falco Game Player\is-HGU3G.tmp

Filesize
699KB

MD5
4bed42f7e9fe379fb29537d7ffc7d67b

SHA1
dba8f3666519c155c81b7c048a7edabc8d3fe236

SHA256
818d99d99dc8c5f1631144af5f0aeb8d82178c16168b5bc49a9f8e0135069854

SHA512
9e574faa06acd6779d760245c774f6abe98df990d6aaa73cf20a34c35bf3410f31bdb6e833f596865f886f453267e62167262c52dcd25eb73f2db1f387366f1d

Download Submit
C:\Program Files (x86)\Falco.ico

Filesize
3KB

MD5
6cfc02aab3845db4b4161fadcaea4c5f

SHA1
5f977c8527bc96c765c368eb669a254e34b3f898

SHA256
8a757a6115023e3f28c0739f79fdc13d6035fbe22a6c5042cdedf2c484a320d1

SHA512
32041a95cf8cb131f058b31e14bb4639a3385d9fe1a910bec8a517ab4a9223d94dfa28857fe57fe63135eac10d661c2df92e6bb380aee746c7a9c6b4821c2e27

Download Submit
C:\Program Files (x86)\Falco.url

Filesize
46B

MD5
3c342ae18cda361b831693e88dfde457

SHA1
247fb552e87544e42c15f14ccd47b1e58609a91d

SHA256
dc0210515ba93a9456ac6d46c798838506aa2bd334a340024c2b6599aeb902c1

SHA512
1817854abb06c459a1f4ffb65d61a136bec302364dcfb8c8549f78bce05f36dea1cae4a5ffde4f76828f874064046c6e0ca9d9b5882e05114c1adfd63ad83d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-15KGF.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LAK5F.tmp\10a4341362b0e3e596a5936e32978e6b_JaffaCakes118.tmp

Filesize
688KB

MD5
5cd728b172a761eb7d9fed1a0191ffa6

SHA1
298a648fd640480a7638636c4481a03e2c115b6f

SHA256
8bdc8d74bd0b609864e037c28ee852bbcf3cb8bf7bf5e88025e07a7d544367b3

SHA512
653814b2992d7e5f29cf19b61c48aa5bc16ecba877a81cf17a9189197e48a0abffc4b70c167ed0a783b5076a0fc894b73dbd5557802aeb99cc77310daeb8e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UJ58T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\Desktop\Falco Freeware Website.lnk

Filesize
993B

MD5
b89d21f87bbcca7a3b279069134b2910

SHA1
081a2e177016fd0dfda44ee6cddb1d4e6a752a6c

SHA256
8a57c78fb89ba3e521cdc64095839c7c6a5100c4da27b452c4d218c67eedcd50

SHA512
264eaedeef9313c989b449003ad408c8f54acd89885e4ca3221f339874b86fbf74ce86e37b8dbc222ccda0fd46859769ad22c677c4d641e2c62d412202a34e86

Download Submit
memory/400-97-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/400-94-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/400-90-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/400-117-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/400-123-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1036-88-0x0000000000400000-0x0000000000DF5000-memory.dmp

Filesize
10.0MB

Download
memory/2372-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2372-91-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2372-125-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2372-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-69-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-22-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-82-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-36-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/2444-35-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-32-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-29-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-27-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-26-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/2444-16-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/2444-20-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-23-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2444-21-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4300-246-0x0000000000400000-0x0000000001148000-memory.dmp

Filesize
13.3MB

Download
memory/4300-352-0x0000000000400000-0x0000000001148000-memory.dmp

Filesize
13.3MB

Download
memory/4300-354-0x0000000000400000-0x0000000001148000-memory.dmp

Filesize
13.3MB

Download
memory/4300-579-0x0000000000400000-0x0000000001148000-memory.dmp

Filesize
13.3MB

Download
memory/5004-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-83-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download