36b8aa9315afba0c3bce729f0889fb033f01189f05e1a22994445d702ec612c0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
Size

150KB
MD5

3fc09a37f0c7da1a4d5f0486a115365b
SHA1

b28715eb2931ddc5308a3bb5462e0a1f24282e76
SHA256

36b8aa9315afba0c3bce729f0889fb033f01189f05e1a22994445d702ec612c0
SHA512

71fde22e3de0f2ad529d5a0345985eeddaab19953087887f0c24819f55aa72ab3cba1755e3120241ceeb87519f063eaeb1a116278f796c4c2acc4b8adf4ca77a
SSDEEP

3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2r:c5MK2orQ7XAgzahdJ3s5YKIvQ

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	inl9F11.tmp

Executes dropped EXE 2 IoCs

pid	Process
784	ind89A2.tmp
3340	inl9F11.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57a018.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e57a018.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47E0658C-8372-46D6-98DD-4949AFCD2E11}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA18F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File created	C:\Windows\Installer\e57a01c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	784	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl9F11.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ind89A2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
4788	msiexec.exe
4788	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	4788	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeIncBasePriorityPrivilege	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 784	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	83
PID 3304 wrote to memory of 784	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	83
PID 3304 wrote to memory of 784	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	83
PID 3304 wrote to memory of 2012	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	88
PID 3304 wrote to memory of 2012	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	88
PID 3304 wrote to memory of 2012	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	88
PID 3304 wrote to memory of 3624	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	93
PID 3304 wrote to memory of 3624	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	93
PID 3304 wrote to memory of 3624	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	93
PID 3304 wrote to memory of 3360	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	95
PID 3304 wrote to memory of 3360	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	95
PID 3304 wrote to memory of 3360	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	95
PID 3304 wrote to memory of 1512	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	97
PID 3304 wrote to memory of 1512	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	97
PID 3304 wrote to memory of 1512	3304	JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe	97
PID 3360 wrote to memory of 3708	3360	cmd.exe	99
PID 3360 wrote to memory of 3708	3360	cmd.exe	99
PID 3360 wrote to memory of 3708	3360	cmd.exe	99
PID 4788 wrote to memory of 1636	4788	msiexec.exe	101
PID 4788 wrote to memory of 1636	4788	msiexec.exe	101
PID 4788 wrote to memory of 1636	4788	msiexec.exe	101
PID 3624 wrote to memory of 3340	3624	cmd.exe	100
PID 3624 wrote to memory of 3340	3624	cmd.exe	100
PID 3624 wrote to memory of 3340	3624	cmd.exe	100
PID 3340 wrote to memory of 4272	3340	inl9F11.tmp	104
PID 3340 wrote to memory of 4272	3340	inl9F11.tmp	104
PID 3340 wrote to memory of 4272	3340	inl9F11.tmp	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\ind89A2.tmp
  C:\Users\Admin\AppData\Local\Temp\ind89A2.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 256
    3⤵
    - Program crash
    PID:552
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS9A3~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\inl9F11.tmp
    C:\Users\Admin\AppData\Local\Temp\inl9F11.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9F11.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 784 -ip 784
1⤵
PID:3404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 23ECB87C681A25B987A4581CE0EC5FAF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a01b.rbs

Filesize
8KB

MD5
3cf4136369b3107b49252b0a8a74d810

SHA1
9f8a1f03e15b914331d2962478a9ba1eff87e4ca

SHA256
f5e593abda968961f6599e5391ef6518c10209b2f532787057834c57f2601d1e

SHA512
b3d9c740363415e14a0fbf0c10e90ef792b9fd52c35c00bb9ae3aa58f2bfa651b4e59ca2c472515a166d21154777b86c5f7d95288bacd92de0a2653e176ba609

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS9A3~1.INI

Filesize
66KB

MD5
583b8328700da7b7b2a3fb072d98c53e

SHA1
b8ad3e5818e304a4a7ab40e292aa5825a7913067

SHA256
f5a73207f6df66f7168b66b63e723cd03839489e52e8ef6e038b884e1d067ec8

SHA512
843ccd26f2f6c7d14c7eea01d150b436d9da5204317b741a52da555364b568cbf6539e2ae77ead69e80292fea0a3c80eeb3cc0cc5360c2a6363085eda4fc4096

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
6a54a8cdee639909fbf83ea60956c0d3

SHA1
ffc0e69b2e8232a19fbcf9257f39ccf907b5054c

SHA256
94ce21575e1527e68c3a52bdf32bd558d661fd80e2f0032c1d4c3b234bc51510

SHA512
c41df0c9e38bc06b1bf63adab60dfdf0dbab5a4139c7462d7103deefe1658757787b76f3266e0221fb9fcf1f3368d9c55c9692f1d2cc17df213bf87405a75c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/784-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/784-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/784-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3304-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-31-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/3304-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/3340-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download