5c3ed14be5546228e67b3a6e06c3a19c1eeef3e7671367ebe0ac2ba75a5f7a2e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Size

150KB
MD5

3c167a7c59626593b133881dd2998d3e
SHA1

6964a04368af1cceae5c78029128cadbc6dea538
SHA256

5c3ed14be5546228e67b3a6e06c3a19c1eeef3e7671367ebe0ac2ba75a5f7a2e
SHA512

38f65fef1e186f0d415153b25980849da9605b5952468c2468592efa23fec7df9d95c1312f9a1096ed009b2c01ec0ec14e7fbaa5600b102f8fba1a105b9ba952
SSDEEP

3072:tlxAxiiAYXRJ1cbuR3m8KoNVzbqQ+yaKf4baDJws3wDJ:tePXD1zQuNV1+yiJ

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	inl9201.tmp

Executes dropped EXE 2 IoCs

pid	Process
3060	7C54.tmp
700	inl9201.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5792ca.msi	msiexec.exe
File created	C:\Windows\Installer\e5792ce.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e5792ca.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6CB27FD5-21F9-4FF3-90C2-BF069FC33424}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI947F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4776	3060	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C54.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl9201.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
2528	msiexec.exe
2528	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	1500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1500	msiexec.exe
Token: SeLockMemoryPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeMachineAccountPrivilege	1500	msiexec.exe
Token: SeTcbPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeLoadDriverPrivilege	1500	msiexec.exe
Token: SeSystemProfilePrivilege	1500	msiexec.exe
Token: SeSystemtimePrivilege	1500	msiexec.exe
Token: SeProfSingleProcessPrivilege	1500	msiexec.exe
Token: SeIncBasePriorityPrivilege	1500	msiexec.exe
Token: SeCreatePagefilePrivilege	1500	msiexec.exe
Token: SeCreatePermanentPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeDebugPrivilege	1500	msiexec.exe
Token: SeAuditPrivilege	1500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1500	msiexec.exe
Token: SeChangeNotifyPrivilege	1500	msiexec.exe
Token: SeRemoteShutdownPrivilege	1500	msiexec.exe
Token: SeUndockPrivilege	1500	msiexec.exe
Token: SeSyncAgentPrivilege	1500	msiexec.exe
Token: SeEnableDelegationPrivilege	1500	msiexec.exe
Token: SeManageVolumePrivilege	1500	msiexec.exe
Token: SeImpersonatePrivilege	1500	msiexec.exe
Token: SeCreateGlobalPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeIncBasePriorityPrivilege	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3060	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	82
PID 432 wrote to memory of 3060	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	82
PID 432 wrote to memory of 3060	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	82
PID 432 wrote to memory of 1500	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	86
PID 432 wrote to memory of 1500	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	86
PID 432 wrote to memory of 1500	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	86
PID 432 wrote to memory of 2540	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	89
PID 432 wrote to memory of 2540	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	89
PID 432 wrote to memory of 2540	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	89
PID 432 wrote to memory of 4976	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	91
PID 432 wrote to memory of 4976	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	91
PID 432 wrote to memory of 4976	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	91
PID 432 wrote to memory of 5024	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	93
PID 432 wrote to memory of 5024	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	93
PID 432 wrote to memory of 5024	432	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	93
PID 2528 wrote to memory of 2948	2528	msiexec.exe	94
PID 2528 wrote to memory of 2948	2528	msiexec.exe	94
PID 2528 wrote to memory of 2948	2528	msiexec.exe	94
PID 4976 wrote to memory of 2960	4976	cmd.exe	95
PID 4976 wrote to memory of 2960	4976	cmd.exe	95
PID 4976 wrote to memory of 2960	4976	cmd.exe	95
PID 2540 wrote to memory of 700	2540	cmd.exe	97
PID 2540 wrote to memory of 700	2540	cmd.exe	97
PID 2540 wrote to memory of 700	2540	cmd.exe	97
PID 700 wrote to memory of 4076	700	inl9201.tmp	98
PID 700 wrote to memory of 4076	700	inl9201.tmp	98
PID 700 wrote to memory of 4076	700	inl9201.tmp	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Roaming\7C54.tmp
  C:\Users\Admin\AppData\Roaming\7C54.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 264
    3⤵
    - Program crash
    PID:4776
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS8CE~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\inl9201.tmp
    C:\Users\Admin\AppData\Local\Temp\inl9201.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9201.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3060 -ip 3060
1⤵
PID:2172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E3BA2B73C6C23FB3328CDF56FCC47168
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5792cd.rbs

Filesize
8KB

MD5
a07e6603f79f47e4312f5fc12ab5644e

SHA1
b97c2c45c4f29db1e80a1912df0921438832bc7d

SHA256
56b1036cde81545c4bda37efe7325a1cda873ee17414fc5637264ee3907e69fc

SHA512
5058a341b56bcdaf3c3bfd13cbfc43b09b18ed945e3f34964653f679646eca4f5c6cf44356774e559961f726be28c70b4108838b117b54d37759c960d431d4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS8CE~1.INI

Filesize
66KB

MD5
02db2f57a823b5ad16b2a2fb6e86953d

SHA1
8294b77c1df6c9e95ed8ba88c1b0de1c9fbb1d7b

SHA256
ccbdd15a0c2cc36fd013df83da62e784bdb1dfb534b1b609574dad791d87fcc4

SHA512
aba3c6317875c8c4e71f382987eea06f9b08b4b1e884a8780efa96ac4ef766843da6866f02dc7c5e74917455dc6b43971525c2926d232cb42dd9c783cf58d11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
a3e87509fcef84d0d44a6c2ed7ab1307

SHA1
66156b6e72a92129653942073fc42839e94075a1

SHA256
7889f40828287037cd36eee7d26e052860d12f2e5189fee76cd91d01c1fe05f7

SHA512
a3acc122c4d07b38e8a1ee2ba50df3a2aa5bca4ad5097e14f5b23e27ead5a8979eea4dd94875636c4fafdc7b3d75a92bbba9b889aaaef03663d970095c5aabc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/432-36-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/432-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/700-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3060-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3060-10-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3060-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download