abc2eed590d3f3f82c35a74e484ff71307238f39124047e5a1902030e1c32384

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
Size

1.2MB
MD5

2bfc13b7babe28d7f4257335ddfda25c
SHA1

aed73dd81bb48d56cd6eda2b6d473036ea969c80
SHA256

abc2eed590d3f3f82c35a74e484ff71307238f39124047e5a1902030e1c32384
SHA512

e1b174c3cd331fa8ac7632eb0ea697e4a0a2c6520cd15915cae40ce836377e7c95b21cf3b781242505638252bde4865fcfb9ca3fddf83f2fe824a5bb47ffcbc4
SSDEEP

24576:AaClZVlOb9dUV13iflIA+wHmYaZbLmFpKEiGy:JcfAIA+DFLipKEiGy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2168	svchost.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
3864	svchost.exe

Loads dropped DLL 20 IoCs

pid	Process
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4896	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2168	448	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe	83
PID 448 wrote to memory of 2168	448	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe	83
PID 448 wrote to memory of 2168	448	2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe	83
PID 2168 wrote to memory of 4896	2168	svchost.exe	86
PID 2168 wrote to memory of 4896	2168	svchost.exe	86
PID 2168 wrote to memory of 4896	2168	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4896

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bfc13b7babe28d7f4257335ddfda25c_JaffaCakes118.exe

Filesize
1.1MB

MD5
453a35f5016f8bb29ed5e15f0a14ea57

SHA1
4a58e11186b1863135f697d5d02a5b76845d7d4e

SHA256
d1b564cbdfc4f31cd9681da247cd06aa9a43d7e63986381f7807da46aa274ecd

SHA512
db6aa5d0cea06afd257b84a0907fd0e803b5fcf95f50c28385e63d2b934deb0f80032f484e8fbecf2d5353cd5be4130aa7fcb0c37f6d85f22beb6fb8df873fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\BinaryArray.mfx

Filesize
61KB

MD5
180a7a143d14e48afae8758fcf9cc809

SHA1
ebf1b8477c64e4f2c8e88973154f612e69a76f36

SHA256
70829298cf558c7139db5629e0184a5f2f42a6afd58ef56122c6d15698a0ae34

SHA512
36c2b10cc1af1fd77bf946b22300e4914e2a4a8876b08857dcf07bd120589699a03d42f8d45dfdfe0da008431b4fffd7a505ebcf8af9a8c844189b50f654e76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\Get.mfx

Filesize
12KB

MD5
f10148c6fc126ca4e3d56215a495499b

SHA1
50847468bf24a1bb6056d80539e29307c531e608

SHA256
f5597c3f0bf15d63d130158a20c2674a06a950b886c46e08b146c5dbeea35464

SHA512
8b17438560b96dd998bace3905d49fd1414836db677dc19f3b13fc99483d362db443d4c5e880a3c1e54ca8c5d8968768bc5e8e5cba10980ba5704beaf54fdf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\KcButton.mfx

Filesize
36KB

MD5
f95175c12b9119de3bedb92e468b84b2

SHA1
8f48812aa4d2bf53c0810d2a0b68851778098941

SHA256
7dedd7ea46dae32ad41cb968d265e577afe02e34df142b2e27f7ef7154ab5082

SHA512
8fd186fc7be7d86331bd10f0f1c5dc72bd6dd8df1ec977ebd3275776fe294bff47d3def67330efd4441e3bce5660cae313d10d4ab75a275bb34f044fd28deee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\Lacewing.mfx

Filesize
120KB

MD5
7283c52688ca8b745ec11fea90ffe962

SHA1
74fb6a8c43cc3fcef757fac80c396d5ddf268045

SHA256
73b7432afb811ab1910d47262347abadac34243313d9cef972521d03a159b4e5

SHA512
7bd140c604328bfbf8c372511da99c0b5cf66f3697469329b7aedabab67d6c7ea631a5ddca5f61a620edce1ff7d58c16edf5ee788ee334d4b92d14e6bd235403

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\ListView.mfx

Filesize
48KB

MD5
77079491d3308e03d61d29531b519197

SHA1
db6a14779603d7483e7b944e67853d4021708b52

SHA256
e9d013b4657980be70fec7c6fb295f112f388a9172a757b2361137cabab54d14

SHA512
f894deb21dd8c884797a9bee742dbe687b68b62a22578655d30462fcb4b29179ca12f33d3772651c491948f0f8cf5e6f976b578555b370d9547e6a61d1a1f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\ProgressBar.mfx

Filesize
24KB

MD5
cd19cc430cf2ea7370d07720c59ba1bc

SHA1
73d57a9e7716f3496ceee6707d4e25359fca66f6

SHA256
3fd881f0c8de475c867d2d6fb01985b895b420aa92ec696572019a61dade8cf5

SHA512
a4cd61815117b03d2482fcae9211f7dd61f9b6e3f932f6b6dd6c32b6fe43435e2a89de01bc8d7b9f17bfd2b44e2122077d381a3981e60ff1aa0f54f94865f658

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\QuickHash.mfx

Filesize
60KB

MD5
09d7ae18ac7793899976cd9c824d3a0e

SHA1
657142c9bc8c770b39f7ad24d9babbfbcf4c6ae2

SHA256
02d34977fe48b086c7df66f1d29aaf843e120b9bae3ab09e6083680fc0ecaf4c

SHA512
75671bf6281c9a27dcd3f909cdd5a8082ffd4f385d149827818572b148bf3bc040ef6352c314f1cf503b4437ba65ab906c32ad3c6deaaecb752aa567b80cebc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\fcButton.mfx

Filesize
56KB

MD5
22b13517a863fadb37c909b2faaa705a

SHA1
3f2ddb61df1464442756fccd1898613dbf1787cd

SHA256
4e005c44f0a44d3f1464a75a15cee1a8653b3a7c1c26fd2796ced7f0a0b1241b

SHA512
75c26544106d22618557cd10565d5fdd59541b1031521dd397b3cc357cf13e0273c792918c63778714d1c4dadcc6e3f17f984e14e36964ccbad04b67dd2305af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\kcedit.mfx

Filesize
32KB

MD5
6e48480835f787cf590d50365561d5fe

SHA1
f26e0820688e10906f73a41ba4b8736fca5f6709

SHA256
e26a27ae3ddc74e943e4fbdf4bf26b40f243d92cda3cd5db8a8ab8d973bcda3f

SHA512
b4186a23885f573cda4b18188d95a677c745acec068f54dae0b5b2892cd2bdabb964945b302cb8eda89370044965fdab9c723a0cc7d68600625fb6540fdeb4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\kcfile.mfx

Filesize
36KB

MD5
74225f508b64ec89e79531aabee00467

SHA1
ba695660f4c22ff57a91d9370fffef1fdc5d5162

SHA256
a404436d2f3c665ec782f991914ac90ef80143226c94e1affc43a02a2fe304d4

SHA512
0a5dc09d1229d4b8d301c14c72474b79481ac500675c73a9ad6477bdcd5f00d6eb8db077ec2f96ce30a1fd1d54f9cc84349ce406cc9e403564d7310740ec012c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\kclist.mfx

Filesize
32KB

MD5
c89739b88389a1412472858c569bc959

SHA1
5bff97e35361e1a687b682840f18821b661d2212

SHA256
985dfbea52a2b4f0ec4b4d242e6a14d5a5dc2acaf1670331297f282f6356ebba

SHA512
2982da4826452eac87011b8f8863eef99d70ebb2e6a83ff88a20c65dbe2d5d1a7ad07f71603281425dfc8f764fede4ce66febb1dca521bb2bf91494de4d01721

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\mmfs2.dll

Filesize
300KB

MD5
dffca25b1fc4cc0b9e4b08a551ed0344

SHA1
1982f8ed843bb9a0d80eb11bc357c6e9798d277f

SHA256
186d448aabec4fcb6661ee105c5d399ad01f4ec1f7bf6c5cb70364d74cc34709

SHA512
6926760c16b32787a814da24b20786d3c00202ffe658cd4e3d943d5cf6bedb70105babb7f352a286f410d3dad30c1c6257ac707226c84f39d322ddc7ab25e563

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt79A4.tmp\parser.mfx

Filesize
30KB

MD5
3d165afb1f937f1bc9faa6ee300f34a5

SHA1
c574e596eed3a84ecfce83c51b22821f1322c7af

SHA256
d1059245292aafd7f1d6e3251998b11ff3eda4baee85ba3812044bbca5d10410

SHA512
95080c539da77dd855dfbb440cdef840bfbbc235750f07ed1403e044a7a6dd1b563a0b8ece1ca1eb3ceb19e70520b4c2db11c9e3cee4bc14463836a989842d5d

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/448-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2168-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3864-71-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3864-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3864-79-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4896-58-0x0000000002270000-0x000000000227B000-memory.dmp

Filesize
44KB

Download
memory/4896-53-0x0000000002250000-0x0000000002262000-memory.dmp

Filesize
72KB

Download
memory/4896-63-0x0000000002280000-0x0000000002293000-memory.dmp

Filesize
76KB

Download
memory/4896-36-0x0000000002200000-0x0000000002223000-memory.dmp

Filesize
140KB

Download