1dc7a2a9342ad70698ea3358048dc17072faff8fd90201ee80344bea5000d610

Analysis

max time kernel
97s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Size

1.1MB
MD5

b0aaa8a5948c20836ba7b590cd451551
SHA1

0bf5d01289ba0a8aa9b7d0da45e04eb1764f8b57
SHA256

1dc7a2a9342ad70698ea3358048dc17072faff8fd90201ee80344bea5000d610
SHA512

7f0d08417d1b2157fefa9a70c129fc6a124fdac3089b6ba3e18701cdc0c011d78512df85e9f1b3697b8c3cb813fed615ee73581aaa903012cd618f592df26848
SSDEEP

24576:80Men6rCMVvdVjwADt34svKIL5Ia6qdHsLS23i0iDHvJR7wGGgg:dMepGvE8o4KItIafdHwrkDHvJVW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

installstat.exedzl_924211.exe

pid	Process
4632	installstat.exe
4064	dzl_924211.exe

Loads dropped DLL 4 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exeinstallstat.exe

pid	Process
3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
4632	installstat.exe
3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\Documents\backup\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\backup\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Users\Admin\Documents\backup\User Pinned\TaskBar\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Drops file in Program Files directory 6 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\msn.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\msn.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\in	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\t	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exeinstallstat.exedzl_924211.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installstat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzl_924211.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023c8f-122.dat	nsis_installer_1
behavioral2/files/0x0009000000023c8f-122.dat	nsis_installer_2

Modifies registry class 2 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnk\ = "lnkfile"	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

pid	Process
3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3748 wrote to memory of 4632	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	86
PID 3748 wrote to memory of 4632	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	86
PID 3748 wrote to memory of 4632	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	86
PID 3748 wrote to memory of 4064	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	91
PID 3748 wrote to memory of 4064	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	91
PID 3748 wrote to memory of 4064	3748	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyC0C1.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC0C1.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC0C1.tmp\ioSpecial.ini

Filesize
573B

MD5
526b8a46a334d9925fa6999a28ffe0a5

SHA1
4983f2c1f628c1d4dfd5d23870b71915497d3fa1

SHA256
953693c069c7f56c8d3c1beb383c5035b8cceabac2dfc4a783dfaf33098e9a21

SHA512
0e5758346df497a8fb97543a571150b876c4081382af9a9a4b3be63744c14b2d9ebdf4975f1603e9d84afb27d56be48b96a3cb67a7904b226fc09d15d81310a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.txt

Filesize
2KB

MD5
e6e0b246bad1492125e650d0be6f4f61

SHA1
749630d3e991fa0c503ce7804653673ff3b06797

SHA256
e6ee04c0963aa51f812977f2d93a803d68ee0a6e40328a0eff1ddbc8967fab07

SHA512
0f8c14256acc97979013fa64daa2a59a14fd92b1b93324489164fa358ccbca8b775110d9f36f9d9b8268053a459d38036e175d852bbb940b37b297c23e8bd9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.txt

Filesize
2KB

MD5
f4146d405935f44abaaaf4c0301ecb9f

SHA1
26461d9160d8448c9163a5aceebfb3b33da9ea56

SHA256
dbb6b9544e3381680d977e24f959a3a9e508256eab539c1d026d629d7f5d5bdc

SHA512
c8158c6aca5670d5e4358f37e07090a69ab1867114d2362f565b633ff7c0fdd6ca06a9eeb45a5380aa5028c1a777da9a25e416ded76c6ff4e18db858d9d1697b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.txt

Filesize
352B

MD5
325b790bc93ad8d27655c44365b485c0

SHA1
50b633a4ca28210ca882467cbc0d717d3283ac75

SHA256
78be9c61505cd98110a9b9ead83fac552d5b89fc549988fc9050cdaffb66f281

SHA512
a110a939eaab63be4cf362f4755f46486d41abfb316dedba3eb553d06bbaaa67fd2db31069fc47e937229f7a5c741aafd6dafa3c5a2cdb0cc9a62e0c2400e7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
83B

MD5
5739ddee167d55bbc4e313d778724a2b

SHA1
c0bff8120f033ed78dcbb8729fc7a42f015e878e

SHA256
384d63847d60b0612904dbde266eea1026c7c44efc8582a3ec18d2f49ca22805

SHA512
85a84e5d900e6b58bb4c0ff77f33ff41c355932f3f2bf4d13b4dfd4e41c7a0671404731a5d4d3cc3fb15acf838516620f1d9c1f896f3e068279b8da00807b29f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.txt

Filesize
334B

MD5
dd26c664f5264c672b6c4c260ed79c73

SHA1
b118670620d7214224c7ed2dc14ee67d7a49c044

SHA256
f8af405fb4819223f8f55c0ee3c054d58998af1560cededeaee35ea46a3497bd

SHA512
7d4773e7b7a9bdeff00886b73e082c1fd74f349db88edaf5a2fc1fad312ef770a70ea6f620833302e3e53c82d539c7132001610b9b24c4540b2f829cafbbadb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe

Filesize
240KB

MD5
f48f6b45f3e2bd243342833088125da2

SHA1
6df69ee997c29bd9e302d2791db53ecdaa28a999

SHA256
6b193a8a230c40922af714f86d8372235cb8a15609430d9106a5441ea3fe9290

SHA512
c678c00e35e9a24d13a77e596bfc6562fc1f10523d2b53de29e29ab290fdeee8ac98f40ec9b9663f0b2c790c32d6ab514b9e5e5c06e3aa940dd8ff4cd8c430ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

Filesize
44KB

MD5
7c30927884213f4fe91bbe90b591b762

SHA1
65693828963f6b6a5cbea4c9e595e06f85490f6f

SHA256
9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

SHA512
8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

Filesize
528KB

MD5
b9b3b41e4d144b886af1cada8251d16f

SHA1
b18724bab7f10d1b3876ebf5f96e6b5dc97211dc

SHA256
fe094423639deae8fea8859935b611006c107a2e571084498820b21ebcc38626

SHA512
d99fe8b54dd16466c140849bbbdd394d481bb6f350fb8e21ce88e390f92d8970c93c654be9094f93a0b87570b3ba0bc3f28127eae2f96b6bc2455b83be2c6579

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\File Explorer.lnk

Filesize
407B

MD5
f727cbb9351106b2dd46f3ef649f3176

SHA1
5732055ec636a4706c6da6857ce1c1ebc1bc86e5

SHA256
cf116b33831de9f80847abdb2a0d92ab3d3f956a8e209ec95d35d986eea8c7b5

SHA512
01dffdcec62254701b9523bca7f572c1f5a5328a18c01fd6590721aded39d86db801bda23bb83b23876b67101991426a5c54087597971206276eeb18dd70f6bc

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Firefox.lnk

Filesize
1012B

MD5
e7184dcbabb127d9a1e5d08bb5fc6aa8

SHA1
096a0dcbb7eaf6b8056552990120e961beac8296

SHA256
5f2fcf60c66920a6aa3e5015d5990993699ec7d68e4d518335a6e95d0ccf584e

SHA512
19f03368088c2e474ef0a2cc280d0eb241e78c565eea58e62b4fa5410bddf318f210d29df12034fdd7efeb916f2a48495d3f12a3e905194b3bf4e8847dc899d9

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Google Chrome.lnk

Filesize
2KB

MD5
d1b9a1ff26c7b8b4f88ef99e056c33f4

SHA1
46454ea73d70027f07cd22da9990bd39e79f6270

SHA256
fc6007434ee7d3b29c6100396d7c11ca270fed7cd034e9fdf1bc0ffebd200f37

SHA512
9e17cd5852a8b756c716c0b37f6c4c13cd841539f203b8ede534c2b6f8d2e7f37ffb40bb1153ea7ebd7d083b3a60efb8f88eb00f7f3ee3ce0bbfa0904bbefc20

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
5fb27aa35e6f467fcf5d63edebcc6830

SHA1
b1432659af630b0268e64378d62997ba4f7fa043

SHA256
57c0597b94ccbc50f4e43d3b60b1d7c6408c1ab27a4a5d21f1e1d1f39348c65c

SHA512
a56ab378b942fa69ebbd7de4b9393eeb917019440feef26e71cccf8271efa579e7ca06418ebc678077cf45fcde48951730b692604192d57973f29810bd1f8321

Download Submit
C:\Users\Admin\Documents\backup\desktop.ini

Filesize
148B

MD5
623a388da0f5a5c9892d3eabf1bbd52a

SHA1
1e2f6397843c518728affeb462127d70eab34e91

SHA256
7ec3a3fb6a5f1cd628305053dfadc26fee7f378ea95d7fec212c5e42ae376066

SHA512
83608a90ca9cced09547f21c6b420634713a88fc153d3eed6275e3d38c8d2feb739dbfbeba108a6d8414db7e6e8b081e8d716b2ef905f57f2871a82e2964d25f

Download Submit