a8b07ceb5ea8eec1f1a43d02bc04bcaa42b14a930326b317ac37bf6420264378

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
Size

150KB
MD5

3e1fc8d995b66ae088ca02e3a3739c51
SHA1

c08f95f560b77aae229cea84abd01eb6486680ba
SHA256

a8b07ceb5ea8eec1f1a43d02bc04bcaa42b14a930326b317ac37bf6420264378
SHA512

a81ece2a090fee61d0a83bad246dbb87c77629229b54dfac437f0e4d2f97c962909c047f03458e7792f22f8f6d855980d0b15cebac9a229a2b5bc56eadb84bc7
SSDEEP

3072:6ldlXTPtEgUJmh+aDY+puszTjGkZHKZApg0P77mag417WHFRlyAtd6AN:6RTPtEgTh+aDyszTKkZH1pg0P7rb7WlB

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	inlFBC7.tmp

Executes dropped EXE 2 IoCs

pid	Process
2172	E733.tmp
1880	inlFBC7.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFE07.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\e57fcbf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5518FC90-76A3-47FE-9440-7FF44A419D13}	msiexec.exe
File created	C:\Windows\Installer\e57fcc3.msi	msiexec.exe
File created	C:\Windows\Installer\e57fcbf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3868	2172	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E733.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlFBC7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
4696	msiexec.exe
4696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	528	msiexec.exe
Token: SeSecurityPrivilege	4696	msiexec.exe
Token: SeCreateTokenPrivilege	528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	528	msiexec.exe
Token: SeLockMemoryPrivilege	528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	528	msiexec.exe
Token: SeMachineAccountPrivilege	528	msiexec.exe
Token: SeTcbPrivilege	528	msiexec.exe
Token: SeSecurityPrivilege	528	msiexec.exe
Token: SeTakeOwnershipPrivilege	528	msiexec.exe
Token: SeLoadDriverPrivilege	528	msiexec.exe
Token: SeSystemProfilePrivilege	528	msiexec.exe
Token: SeSystemtimePrivilege	528	msiexec.exe
Token: SeProfSingleProcessPrivilege	528	msiexec.exe
Token: SeIncBasePriorityPrivilege	528	msiexec.exe
Token: SeCreatePagefilePrivilege	528	msiexec.exe
Token: SeCreatePermanentPrivilege	528	msiexec.exe
Token: SeBackupPrivilege	528	msiexec.exe
Token: SeRestorePrivilege	528	msiexec.exe
Token: SeShutdownPrivilege	528	msiexec.exe
Token: SeDebugPrivilege	528	msiexec.exe
Token: SeAuditPrivilege	528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	528	msiexec.exe
Token: SeChangeNotifyPrivilege	528	msiexec.exe
Token: SeRemoteShutdownPrivilege	528	msiexec.exe
Token: SeUndockPrivilege	528	msiexec.exe
Token: SeSyncAgentPrivilege	528	msiexec.exe
Token: SeEnableDelegationPrivilege	528	msiexec.exe
Token: SeManageVolumePrivilege	528	msiexec.exe
Token: SeImpersonatePrivilege	528	msiexec.exe
Token: SeCreateGlobalPrivilege	528	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2172	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	92
PID 1912 wrote to memory of 2172	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	92
PID 1912 wrote to memory of 2172	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	92
PID 1912 wrote to memory of 528	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	102
PID 1912 wrote to memory of 528	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	102
PID 1912 wrote to memory of 528	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	102
PID 1912 wrote to memory of 208	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	105
PID 1912 wrote to memory of 208	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	105
PID 1912 wrote to memory of 208	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	105
PID 1912 wrote to memory of 2200	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	106
PID 1912 wrote to memory of 2200	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	106
PID 1912 wrote to memory of 2200	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	106
PID 1912 wrote to memory of 4940	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	109
PID 1912 wrote to memory of 4940	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	109
PID 1912 wrote to memory of 4940	1912	JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe	109
PID 2200 wrote to memory of 844	2200	cmd.exe	111
PID 2200 wrote to memory of 844	2200	cmd.exe	111
PID 2200 wrote to memory of 844	2200	cmd.exe	111
PID 4696 wrote to memory of 2708	4696	msiexec.exe	112
PID 4696 wrote to memory of 2708	4696	msiexec.exe	112
PID 4696 wrote to memory of 2708	4696	msiexec.exe	112
PID 208 wrote to memory of 1880	208	cmd.exe	113
PID 208 wrote to memory of 1880	208	cmd.exe	113
PID 208 wrote to memory of 1880	208	cmd.exe	113
PID 1880 wrote to memory of 2276	1880	inlFBC7.tmp	116
PID 1880 wrote to memory of 2276	1880	inlFBC7.tmp	116
PID 1880 wrote to memory of 2276	1880	inlFBC7.tmp	116

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e1fc8d995b66ae088ca02e3a3739c51.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Roaming\E733.tmp
  C:\Users\Admin\AppData\Roaming\E733.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 264
    3⤵
    - Program crash
    PID:3868
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSF77~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\inlFBC7.tmp
    C:\Users\Admin\AppData\Local\Temp\inlFBC7.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlFBC7.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2172 -ip 2172
1⤵
PID:1252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 669F335F02AA1ECDC200AE2215ECD5DA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fcc2.rbs

Filesize
8KB

MD5
2717808203248230225ad423796bd4a9

SHA1
11134615630a3e422416405cf83d57d25245e74d

SHA256
1f049c1b19e556c4723197b592a2601515c7fa18abab56b9d0c7b37f1cc31d3d

SHA512
9b77af5a753be94511f08ff923713e6a5b18e6b25c5b97a2ce7fe4faf3ba031e07b7547979a6e472bf8f192baa6aa6d0dc089e2f8275f48205e6d7e3ee645077

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSF77~1.INI

Filesize
66KB

MD5
4317d6cf1c21bb9b3015a13a82d6d56b

SHA1
7ab9df599d28ddcba4573bc6f0194cd2101445e6

SHA256
8fae82a37caa960bbd06c1f35982c42ec0ce4981109991aaf392eeaabe972c16

SHA512
87cd195c4c6f0038aadf43e1f57a7ab94c66834543df147a28ccd2e045d0a79e43a3de2f5a3ff3d6e1a4a0edb30d9d90c828fe26649c4a7e94554a02d9e24cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
9700c9fc964301bd01511daeec409b3b

SHA1
56767d85e84a69ffbf0b632dff668c5bb32348bc

SHA256
237a0217c1f5bb87753a6fb1415cc11ee6466e9a23c1578c8d4c2e99441eb375

SHA512
007966b2df3515b7279b0a36dda0c325bfa7fad05c1710d7d9178c73fe865a3c78811df432781c84435b3fb41522efeeb98d99fa4864d9b968e8ed1e09bd86fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1880-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1912-31-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1912-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2172-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2172-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2172-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download