9b9842d47247b8324d89b3f2560baa491307ac3a116cc8ccd8d68963eae667fb

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
Size

307KB
MD5

0f230923326d899d1e4661e36c6e16c4
SHA1

e98d3770c5288e907c5cda5a0a479a5e74761387
SHA256

9b9842d47247b8324d89b3f2560baa491307ac3a116cc8ccd8d68963eae667fb
SHA512

8e5737cf43ad93de986922a45d09f005081909f3f731cd1be9e284bea87e4932014c724ce74d9289218b8da65a8d9896670193128de99ec5fa39057a665f4e9c
SSDEEP

6144:yAWkhT7LRhW9FhNGpWtS9vF3AK8V6sOY9jeuvQP:J9L/AFhNGpWtS9vRAKm6sO0jeuvu

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\desktop.ini	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\desktop.ini	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mng2.txt	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msadco.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\lib\jawt.lib	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ps.txt	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\lib\dt.jar	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\joni.md	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javadoc.exe	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\security\java.security	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\en-US\wab32res.dll.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\tipresx.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\da.txt	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fi.txt	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\sqloledb.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	3016	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f230923326d899d1e4661e36c6e16c4_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 552
  2⤵
  - Program crash
  PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3016 -ip 3016
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
2.1MB

MD5
ab58d6623ecff9946b01dd6fef8f9e43

SHA1
1157ab24ff689b61bc3067b527f6df063cf5dc14

SHA256
31e06341ca6d6fbd1378475df77a01385c3857221ae077423402f0727d9e9f39

SHA512
6b576c7bd7dc969004df4394521ff11a6ac5adf999b3bdc595081dc9fb996a0f2988af877586cfbb5ab9a53ef5f0fbc7d0e8d542069d5798570318eb103873ba

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit