751b20cde6115909091fe3f8678445202b3dc5082441c19508152d635cbff6cf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
Size

104KB
MD5

017b2cd27844e65918619a70bf51c005
SHA1

c4d0faffc5780d1228f2b1d47094937085131db4
SHA256

751b20cde6115909091fe3f8678445202b3dc5082441c19508152d635cbff6cf
SHA512

ea76fd81ea6b3f95e717b68482d1be3f8c97843eb5dbcb9bbc4d1f522a71c9e96a1605e5f5a4270639be2e47b4dc1bfa9612975303e23316e7221691abe49daf
SSDEEP

1536:jrcImRjJEaFtho6n4/DggkrXlwwNdBempwGcA7Vc7+eUb:XcxRaa1o/EfrXbN3eaNcu+aeU

Score

8^/10

discovery evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
1164	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Desktop\General	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2724	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2724	2664	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	30
PID 2664 wrote to memory of 2724	2664	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	30
PID 2664 wrote to memory of 2724	2664	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	30
PID 2664 wrote to memory of 2724	2664	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	30
PID 2724 wrote to memory of 1164	2724	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	31
PID 2724 wrote to memory of 1164	2724	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	31
PID 2724 wrote to memory of 1164	2724	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	31
PID 2724 wrote to memory of 1164	2724	JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_017b2cd27844e65918619a70bf51c005.exe" del
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE.tmp >> NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2724-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads