Overview

overview

10

Static

static

10

JaffaCakes...85.exe

windows7-x64

10

JaffaCakes...85.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    102s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2025 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1bc43472f1db1a49b463a62674303485.exe

  • Size

    281KB

  • MD5

    1bc43472f1db1a49b463a62674303485

  • SHA1

    5d69d2befe138e4ca60cde05e0beb631b5c1ff0e

  • SHA256

    24699c98062ab92c00baa322bfb922d57feaa4699d311baef0c16bdd71e90810

  • SHA512

    08d0a17f38dbf0994ee534b82d729f104e2bcad5f75ff32d2c82e0478426ca678972e9cfc944e3fd6f162a440adef78371f7186669c1d82202b9b7dffd87a4ef

  • SSDEEP

    6144:gScrL/4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdeiijX:xcIy78QSVnNyhsFMCeHjX

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 8 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bc43472f1db1a49b463a62674303485.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bc43472f1db1a49b463a62674303485.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:808
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 820
            4⤵
            • Program crash
            PID:2808
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1080
          • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bc43472f1db1a49b463a62674303485.exe
            "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bc43472f1db1a49b463a62674303485.exe"
            3⤵
              PID:3336
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 504
                4⤵
                • Program crash
                PID:4012
            • C:\Windows\SysWOW64\install\server.exe
              "C:\Windows\system32\install\server.exe"
              3⤵
              • Adds policy Run key to start application
              • Boot or Logon Autostart Execution: Active Setup
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              PID:2680
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2748
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 812
                  5⤵
                  • Program crash
                  PID:4224
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:768
                • C:\Windows\SysWOW64\install\server.exe
                  "C:\Windows\SysWOW64\install\server.exe"
                  4⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2380
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 528
                    5⤵
                    • Program crash
                    PID:3656
                • C:\Users\Admin\AppData\Roaming\install\server.exe
                  "C:\Users\Admin\AppData\Roaming\install\server.exe"
                  4⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:3564
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:1052
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 820
                      6⤵
                      • Program crash
                      PID:2912
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                      PID:4388
                    • C:\Users\Admin\AppData\Roaming\install\server.exe
                      "C:\Users\Admin\AppData\Roaming\install\server.exe"
                      5⤵
                      • Executes dropped EXE
                      PID:4868
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 496
                        6⤵
                        • Program crash
                        PID:1808
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 808 -ip 808
              1⤵
                PID:4252
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3336 -ip 3336
                1⤵
                  PID:1256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2748 -ip 2748
                  1⤵
                    PID:4868
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2380 -ip 2380
                    1⤵
                      PID:5088
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1052 -ip 1052
                      1⤵
                        PID:2476
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4868 -ip 4868
                        1⤵
                          PID:4544

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
                          Filesize

                          236KB

                          MD5

                          7b049037ce3b9c343bd568aa99718b37

                          SHA1

                          3f5b8967b8b2da2c20d2d01b3562dc3ba09e4370

                          SHA256

                          f5be3c26463a17edf99eb588f8ed127b320990741d4bbf7565bec0e587664a5b

                          SHA512

                          1e4b5936e9d986136df57ebf31e1f958c6e7e306a761166687300abcaf066d07380f27dc95d1c7ea2e284899af3fe08752f4809cf230a2e20122cbdaeb5a0d8a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
                          Filesize

                          236KB

                          MD5

                          c8207d3e5987910bea5ff02e52c1a908

                          SHA1

                          a4bff4facfbb48b73a7ec87993ed68de3f818c4d

                          SHA256

                          c142ab29966721fd75a78c10aec6a3d5cf04ca0ff97c1fcb246edaca0009a4b3

                          SHA512

                          42735f0e9d215bc10c89c8c58bb2779a79aac1f18aca77322dd43fb8771a31ed22e48ea80f7cc2298ad3a80a5b78167492a762d847fc28ec6b050ce2608633f4

                          Download Submit

                        • C:\Windows\SysWOW64\install\server.exe
                          Filesize

                          281KB

                          MD5

                          1bc43472f1db1a49b463a62674303485

                          SHA1

                          5d69d2befe138e4ca60cde05e0beb631b5c1ff0e

                          SHA256

                          24699c98062ab92c00baa322bfb922d57feaa4699d311baef0c16bdd71e90810

                          SHA512

                          08d0a17f38dbf0994ee534b82d729f104e2bcad5f75ff32d2c82e0478426ca678972e9cfc944e3fd6f162a440adef78371f7186669c1d82202b9b7dffd87a4ef

                          Download Submit

                        • memory/808-7-0x00000000012E0000-0x00000000012E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/808-8-0x00000000013A0000-0x00000000013A1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/808-68-0x0000000010490000-0x0000000010502000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/808-66-0x0000000003E30000-0x0000000003E31000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/808-86-0x0000000010490000-0x0000000010502000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/3048-2-0x0000000010410000-0x0000000010482000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/3048-63-0x0000000010490000-0x0000000010502000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/3336-153-0x0000000010590000-0x0000000010602000-memory.dmp

                          Filesize

                          456KB

                          Download