c3602b928620babfa2e75c91c6935311dcdf4ef3977de776a754d85d58adbf57

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
Size

150KB
MD5

32beba91aa9daff8d0420272fe7796c5
SHA1

3ed4e2e111cb9ed9a37e43724ef060562c983642
SHA256

c3602b928620babfa2e75c91c6935311dcdf4ef3977de776a754d85d58adbf57
SHA512

5c73f07c68a99ecdd811b252e0b68ac4654a78fe98a5584abdd74245e0d44382c964d2b792f4a8e7ed3d4f35d0e1ad31e1174e5a81d8675cd9d9f3c90176fc6c
SSDEEP

3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2x:c5MK2orQ7XAgzahdJ3s5YKIvu

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	inlDB3F.tmp

Executes dropped EXE 2 IoCs

pid	Process
3752	indC747.tmp
3656	inlDB3F.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47E0658C-8372-46D6-98DD-4949AFCD2E11}	msiexec.exe
File created	C:\Windows\Installer\e57dc79.msi	msiexec.exe
File created	C:\Windows\Installer\e57dc75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dc75.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEE6.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
244	3752	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	indC747.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlDB3F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
3776	msiexec.exe
3776	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	3776	msiexec.exe
Token: SeCreateTokenPrivilege	732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	732	msiexec.exe
Token: SeLockMemoryPrivilege	732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	732	msiexec.exe
Token: SeMachineAccountPrivilege	732	msiexec.exe
Token: SeTcbPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeLoadDriverPrivilege	732	msiexec.exe
Token: SeSystemProfilePrivilege	732	msiexec.exe
Token: SeSystemtimePrivilege	732	msiexec.exe
Token: SeProfSingleProcessPrivilege	732	msiexec.exe
Token: SeIncBasePriorityPrivilege	732	msiexec.exe
Token: SeCreatePagefilePrivilege	732	msiexec.exe
Token: SeCreatePermanentPrivilege	732	msiexec.exe
Token: SeBackupPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeShutdownPrivilege	732	msiexec.exe
Token: SeDebugPrivilege	732	msiexec.exe
Token: SeAuditPrivilege	732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	732	msiexec.exe
Token: SeChangeNotifyPrivilege	732	msiexec.exe
Token: SeRemoteShutdownPrivilege	732	msiexec.exe
Token: SeUndockPrivilege	732	msiexec.exe
Token: SeSyncAgentPrivilege	732	msiexec.exe
Token: SeEnableDelegationPrivilege	732	msiexec.exe
Token: SeManageVolumePrivilege	732	msiexec.exe
Token: SeImpersonatePrivilege	732	msiexec.exe
Token: SeCreateGlobalPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeIncBasePriorityPrivilege	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3752	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	88
PID 4416 wrote to memory of 3752	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	88
PID 4416 wrote to memory of 3752	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	88
PID 4416 wrote to memory of 732	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	92
PID 4416 wrote to memory of 732	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	92
PID 4416 wrote to memory of 732	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	92
PID 4416 wrote to memory of 816	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	95
PID 4416 wrote to memory of 816	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	95
PID 4416 wrote to memory of 816	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	95
PID 4416 wrote to memory of 4564	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	97
PID 4416 wrote to memory of 4564	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	97
PID 4416 wrote to memory of 4564	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	97
PID 4416 wrote to memory of 1308	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	99
PID 4416 wrote to memory of 1308	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	99
PID 4416 wrote to memory of 1308	4416	JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe	99
PID 4564 wrote to memory of 4732	4564	cmd.exe	101
PID 4564 wrote to memory of 4732	4564	cmd.exe	101
PID 4564 wrote to memory of 4732	4564	cmd.exe	101
PID 816 wrote to memory of 3656	816	cmd.exe	102
PID 816 wrote to memory of 3656	816	cmd.exe	102
PID 816 wrote to memory of 3656	816	cmd.exe	102
PID 3776 wrote to memory of 3444	3776	msiexec.exe	103
PID 3776 wrote to memory of 3444	3776	msiexec.exe	103
PID 3776 wrote to memory of 3444	3776	msiexec.exe	103
PID 3656 wrote to memory of 1152	3656	inlDB3F.tmp	108
PID 3656 wrote to memory of 1152	3656	inlDB3F.tmp	108
PID 3656 wrote to memory of 1152	3656	inlDB3F.tmp	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32beba91aa9daff8d0420272fe7796c5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\indC747.tmp
  C:\Users\Admin\AppData\Local\Temp\indC747.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 264
    3⤵
    - Program crash
    PID:244
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSD6B~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\inlDB3F.tmp
    C:\Users\Admin\AppData\Local\Temp\inlDB3F.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlDB3F.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3752 -ip 3752
1⤵
PID:400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BF18B600E0931546F2D6684280164931
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57dc78.rbs

Filesize
8KB

MD5
3d05a8171409a6e3b32f9b71cff050ca

SHA1
99a956f052dfa7599692585b5a0904a5c09c3bfc

SHA256
13872b6b8369dade02e82de39447ce6bd7157fbfef8cefcb36ab8523389beb2a

SHA512
819f0e821c4f541eaab7957c5859771e6f6203ee0cd336bac340e7207bac2a6c4d31f8991420ab37c171e55313ac62399f848bb6742b4268205c919ec46c2329

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSD6B~1.INI

Filesize
66KB

MD5
ceb3c77fc930e086cd46eb5c493f0e76

SHA1
2c68b089c6ee94a628859e9129df7c1ddc7b1d04

SHA256
2a01f0bc5a99f7b70b68d2e69cad0be04a5e7acc50400917255a41920535b2ea

SHA512
78755552647de55ab2732cb6d220364dc7914f071832f704bc9b3c62c4752dd305b831d777cefbcce692689a5b8335ab38228da180b7b2f05607364d5aa3a1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
b8b7514b3a821011a1a04113836c500c

SHA1
01e27c3f4f862ae66c36f21623c27712ed199e61

SHA256
14e5b37a5e17d6c144d00bdc20cb48479efa5f22ba3bd71da4a013e9c227cc0b

SHA512
86dc148b99274cd3fa9dc500bba92e9c6be1ccaf05eaeab6aa0ade4a12129175ddae7a2141c22d804d8b1b3af9ecdd9c3d6de98618f88168af38da8342a896fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/3656-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3752-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3752-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3752-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4416-31-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/4416-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download