23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Size

1005KB
MD5

12e9927d52006fdfb16919e0ccdfb670
SHA1

128643ef042e58f53b0d493441afb5ef6fa61bc5
SHA256

23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa
SHA512

76dae07dd4b99f1bffb9bdbe79b07a2246f31271a288562adff5e6d9af4587c1234895ac651c55025d27de4e4d623adf266aaabaf0735791900a628c8d981ad1
SSDEEP

24576:5aK/eDpS1eAR+XTQeZaSyYE5Qs+B9Kfyl/QlrnRdyNCMNqL1Xi:3/e9jCST5ZHyYE5hboir91Xi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4516	svchost.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3076	svchost.exe

Loads dropped DLL 14 IoCs

pid	Process
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023621-8.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
3664	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4516	2280	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	89
PID 2280 wrote to memory of 4516	2280	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	89
PID 2280 wrote to memory of 4516	2280	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	89
PID 4516 wrote to memory of 3664	4516	svchost.exe	90
PID 4516 wrote to memory of 3664	4516	svchost.exe	90
PID 4516 wrote to memory of 3664	4516	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3664

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Filesize
969KB

MD5
4aa7b3644724f2da70054eb3c4f92c78

SHA1
e18fbb8ca40ed86c3793474cc35f427e669cddea

SHA256
0ba8d7841aa524ef55b0c9ce4557b7286e0bb5eb2195ef1bd03c7dab8da9f10c

SHA512
7b703024d6328b20ea4bd27885a6cdcfdaef14a4d48df998e9eed80c3b04e0171d2c87cc36a8277e3d599c6529df8c4635c59a5503113a6bbc6344e010a08e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\CustomLicense.dll

Filesize
2KB

MD5
6c20819f7b1b3c25b4cc2aab38bdc6c3

SHA1
005c475c579cee2c60d77642d6d9586e0884964e

SHA256
156719e9b9f965f0e205aeb9e4f07254ea0576fd422f7e90e8f1d90e5fc51050

SHA512
635b602c451a8f29e6618670ebc08753d0008025fc3f0ca7619eaa578a76acaad1a88f86df9be64a3dd50db849e6513e465b1a3eda006da16b9ec03c566de2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\NSISdl.dll

Filesize
14KB

MD5
1413350c401e65ee4666fa36c9d8997c

SHA1
acab76b047c0512125de49fead6b84e92da0b0f6

SHA256
aff65714ba229568469a9addf9b2b58e4bb169ee94ac423523e12afa9ec28365

SHA512
9b46512941e2ad8ef47f0024a0f0e069743c714dd5c525bbbfc9dd871696a121b53236757225257495ba8a1a71f68ea79a324a84503a6f0a3d3c40990aa1f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\StartMenu.dll

Filesize
7KB

MD5
4973362a84e11dd8541387ab1694afcc

SHA1
b78a0fe67c07713c7abd9668b881c4bc808d9a7a

SHA256
7757518466b21ce175607f10599f26fff127d59a16dc10bf4ba4b7d83d13d47d

SHA512
65c305eced5cd81fe3a573827d62a33e400f03d5bfcb3b3a503927bc0decaedef5d74e6d1ba25a0601fe812f8d2424887d58211c3f3cea1442643f5d1c23c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\System.dll

Filesize
10KB

MD5
86b5a07a43b7cbc5c49263b8d974b736

SHA1
78388286a311810d812c13d87dea12d581713e60

SHA256
5897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b

SHA512
dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\UAC.dll

Filesize
16KB

MD5
acfb66ee6fc1f4266229ec6098fe1740

SHA1
e1aeb31b11996015d7f17308e2f2bbe69d4e1476

SHA256
6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e

SHA512
bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\btwarning.ini

Filesize
175B

MD5
a2022258082809baedb031efaf5a434a

SHA1
2e921922c760b76d940e8655885567544d24c7a5

SHA256
1f6d3e90202b97432ee508b146ec7ec1e29f8cfdc91615376fe44940f944b6a6

SHA512
67648698641f4fe082d969bb14e115b63b5cbbc57aa04e55f1a7d7cf8012745eafd424dcf737a70b8b74f640c50cc5e858850344024f3c3168acb742d118214e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\ioSpecial.ini

Filesize
379B

MD5
a6e798c5e7b682fb8a3fb3383c23bbfb

SHA1
2b8081c0c8678d07bb04a9e19e8f67dfc93e13e1

SHA256
c7467b47ee0a5f41af760e29ece0d32eff3dd23563fab57acb0c5b3669ed142a

SHA512
e4767d502d3262d1b843c930a51c7f77f8b4b937c1836c254d8bf3b114d8bf75e125b128a93215af800af93273d54bfb1136e4a7733359a77eda807dc7d9169f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4439.tmp\ioSpecial.ini

Filesize
688B

MD5
1ff433da0cd5719c49ddf0f107c67b14

SHA1
442ba206611d67fe7141db1d1bf925387dfe4df6

SHA256
bfeaa27a10071ddec5ff8e2cff420325ef42811a6a391231475144eb9b1e9f33

SHA512
17d9258706d2bf9e00fd9a35ceef619e2e6cb2290e9f819b5b3e2bcb36497f662b8c107c1ef31616114a43e966c8c7a5e2cfcc31610680847b7623459847ba29

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/2280-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3076-160-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3076-172-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3076-176-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3076-179-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4516-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download