Overview
overview
7Static
static
30df027012e...18.exe
windows7-x64
70df027012e...18.exe
windows10-2004-x64
6Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7WordDecryptor.exe
windows7-x64
7WordDecryptor.exe
windows10-2004-x64
7contacts.html
windows7-x64
3contacts.html
windows10-2004-x64
3images/uninstall.exe
windows7-x64
7images/uninstall.exe
windows10-2004-x64
7index.html
windows7-x64
3index.html
windows10-2004-x64
3license.html
windows7-x64
3license.html
windows10-2004-x64
3support.html
windows7-x64
3support.html
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Uninstall.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
WordDecryptor.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
WordDecryptor.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
contacts.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
contacts.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
images/uninstall.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
images/uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
index.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
index.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
license.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
license.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
support.html
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
support.html
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe
-
Size
556KB
-
MD5
0df027012e52401eaf5dfe5f14e27917
-
SHA1
242b1fdc396825c649aa9a0f3ddf53bd38f77162
-
SHA256
aea98d4e9b8f05ad9cc5b3962851b4659664a0e83b46c12d7401d34b9ac9db12
-
SHA512
a0f7e22b332d0d412bba8db592102e1f7ef95c4fe405515032561b530a5cdebfdd152a1af3129d3756ae4ea2a0fcacf52737ad35dc313420c24ec4c1f98982a8
-
SSDEEP
12288:pUKcJ+MGz3vN1z5dHuRAftHTBFQB4qiTo/IjaJnx0POrHCq:p9cMDz3vP/5/KBtiToqaJFB
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\buttons_pr.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\buttons_pr.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\WordDecryptor.exe 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\WordDecryptor.exe 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\license.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\support.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\button_add.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\word.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\worddec.jpg 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\index.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\index.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\support.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\worddec.jpg 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\Uninstall.exe 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\uninstall.exe 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Thegrideon Software\WordDecryptor\contacts.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\contacts.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\license.html 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\button_add.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe File created C:\Program Files (x86)\Thegrideon Software\WordDecryptor\images\word.gif 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell\Open\command 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\.wdp\ = "WDPWordDecryptor" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\DefaultIcon 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell\Open\ = "Open WordDecryptor Project" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell\Open\command\ = "C:\\Program Files (x86)\\Thegrideon Software\\WordDecryptor\\WordDecryptor.exe %1" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\.wdp 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\ = "WordDecryptor Project" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\DefaultIcon\ = "C:\\Program Files (x86)\\Thegrideon Software\\WordDecryptor\\WordDecryptor.exe,0" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell\ = "Open" 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WDPWordDecryptor\shell\Open 0df027012e52401eaf5dfe5f14e27917_JaffaCakes118.exe