Overview

overview

10

Static

static

3

JaffaCakes...c6.exe

windows7-x64

7

JaffaCakes...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6.exe

  • Size

    125KB

  • MD5

    1f8413b28bb7ec298923ca139d633fc6

  • SHA1

    99614e9320312cf0b6039bf3f9c4feda8a1194c1

  • SHA256

    002508a4cec942c5b80483a46cabb6845ec961abb67e3b9eaface89996aa5457

  • SHA512

    3d6b75b4fe45ffcdc634734590b5832dab71e577926570b4c84fc2dff21cfb1c4733c746e3a33379e3f37c9dc9f58a217371a257afde22ab25705d877cc2dc54

  • SSDEEP

    3072:Y6lXWN336MdMfLirVQW0/nyyplK7/QoRawi10afCtBGRJFabWWT:JXgqqULirVT01w/QN1pCUJF85

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6mgr.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6mgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 100
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2840
    • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
      "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{97F01BE8-E19A-4665-9160-1A1A846DC97B}.jpg
    Filesize

    23KB

    MD5

    fd5fd28e41676618aac733b243ad54db

    SHA1

    b2d69ad6a2e22c30ef1806ac4f990790c3b44763

    SHA256

    a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

    SHA512

    4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{9EA45825-0D7B-42F9-ACE8-1FD16924FA33}.jpg
    Filesize

    22KB

    MD5

    35e787587cd3fa8ed360036c9fca3df2

    SHA1

    84c76a25c6fe336f6559c033917a4c327279886d

    SHA256

    98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

    SHA512

    aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

    Download Submit

  • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
    Filesize

    32KB

    MD5

    84bba83cfbc0233517407678bb842686

    SHA1

    1c617de788de380d28c52dc733ad580c3745a1c1

    SHA256

    6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

    SHA512

    a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\JaffaCakes118_1f8413b28bb7ec298923ca139d633fc6mgr.exe
    Filesize

    60KB

    MD5

    94f2f6ffbba8e7644668b51b39983916

    SHA1

    63357bbdf90101969117983dbc0d4ed0e713c4d7

    SHA256

    ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

    SHA512

    d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

    Download Submit

  • memory/2112-0-0x0000000000EA0000-0x0000000000EC3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2112-17-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-88-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-102-0x0000000000EA0000-0x0000000000EC3000-memory.dmp

    Filesize

    140KB

    Download