0c99430cdb20bccc1d2230d477917f719b44131988b76785d13b59f9c2c8dac5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
Size

150KB
MD5

505cc4d4e611208733427336e0b82a50
SHA1

74743b4ef02ea112b953ad3ceda4fd7f709d9851
SHA256

0c99430cdb20bccc1d2230d477917f719b44131988b76785d13b59f9c2c8dac5
SHA512

8af4f803acb77ef04f9831545ed1c5ac56c3d7c206afcc5f2df75f57e79672a14819bc215b284b16597f46c5cd753df805e14cfc763d773f7a0526b54a20ea96
SSDEEP

3072:gwFLv/9SNIItxH6As+4d5lp8ZIGOYjlh9X1xcIMxArGrW2+8YVp3pD1KYX:HFLv/9SNIAxH6A743Y9RAxoFXJ51Z

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	inl8908.tmp

Executes dropped EXE 2 IoCs

pid	Process
3984	73E8.tmp
840	inl8908.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e578a10.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e578a14.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578a10.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{89779F51-997A-4BD2-BA63-1DC5118B8A46}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B58.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
432	3984	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73E8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl8908.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
4548	msiexec.exe
4548	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	4548	msiexec.exe
Token: SeCreateTokenPrivilege	1716	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1716	msiexec.exe
Token: SeLockMemoryPrivilege	1716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1716	msiexec.exe
Token: SeMachineAccountPrivilege	1716	msiexec.exe
Token: SeTcbPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	1716	msiexec.exe
Token: SeTakeOwnershipPrivilege	1716	msiexec.exe
Token: SeLoadDriverPrivilege	1716	msiexec.exe
Token: SeSystemProfilePrivilege	1716	msiexec.exe
Token: SeSystemtimePrivilege	1716	msiexec.exe
Token: SeProfSingleProcessPrivilege	1716	msiexec.exe
Token: SeIncBasePriorityPrivilege	1716	msiexec.exe
Token: SeCreatePagefilePrivilege	1716	msiexec.exe
Token: SeCreatePermanentPrivilege	1716	msiexec.exe
Token: SeBackupPrivilege	1716	msiexec.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeShutdownPrivilege	1716	msiexec.exe
Token: SeDebugPrivilege	1716	msiexec.exe
Token: SeAuditPrivilege	1716	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1716	msiexec.exe
Token: SeChangeNotifyPrivilege	1716	msiexec.exe
Token: SeRemoteShutdownPrivilege	1716	msiexec.exe
Token: SeUndockPrivilege	1716	msiexec.exe
Token: SeSyncAgentPrivilege	1716	msiexec.exe
Token: SeEnableDelegationPrivilege	1716	msiexec.exe
Token: SeManageVolumePrivilege	1716	msiexec.exe
Token: SeImpersonatePrivilege	1716	msiexec.exe
Token: SeCreateGlobalPrivilege	1716	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeIncBasePriorityPrivilege	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe
Token: SeTakeOwnershipPrivilege	4548	msiexec.exe
Token: SeRestorePrivilege	4548	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3984	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	91
PID 4368 wrote to memory of 3984	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	91
PID 4368 wrote to memory of 3984	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	91
PID 4368 wrote to memory of 1716	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	99
PID 4368 wrote to memory of 1716	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	99
PID 4368 wrote to memory of 1716	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	99
PID 4368 wrote to memory of 4936	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	102
PID 4368 wrote to memory of 4936	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	102
PID 4368 wrote to memory of 4936	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	102
PID 4368 wrote to memory of 2040	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	104
PID 4368 wrote to memory of 2040	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	104
PID 4368 wrote to memory of 2040	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	104
PID 4368 wrote to memory of 964	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	106
PID 4368 wrote to memory of 964	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	106
PID 4368 wrote to memory of 964	4368	JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe	106
PID 2040 wrote to memory of 872	2040	cmd.exe	108
PID 2040 wrote to memory of 872	2040	cmd.exe	108
PID 2040 wrote to memory of 872	2040	cmd.exe	108
PID 4548 wrote to memory of 2748	4548	msiexec.exe	110
PID 4548 wrote to memory of 2748	4548	msiexec.exe	110
PID 4548 wrote to memory of 2748	4548	msiexec.exe	110
PID 4936 wrote to memory of 840	4936	cmd.exe	109
PID 4936 wrote to memory of 840	4936	cmd.exe	109
PID 4936 wrote to memory of 840	4936	cmd.exe	109
PID 840 wrote to memory of 5108	840	inl8908.tmp	114
PID 840 wrote to memory of 5108	840	inl8908.tmp	114
PID 840 wrote to memory of 5108	840	inl8908.tmp	114

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_505cc4d4e611208733427336e0b82a50.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Roaming\73E8.tmp
  C:\Users\Admin\AppData\Roaming\73E8.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 268
    3⤵
    - Program crash
    PID:432
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS84F~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\inl8908.tmp
    C:\Users\Admin\AppData\Local\Temp\inl8908.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8908.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3984 -ip 3984
1⤵
PID:2240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8D4970B19D1126D7FB27DBB6AB889A5F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578a13.rbs

Filesize
8KB

MD5
675da45e442c91319593379f37ff80ed

SHA1
80cc0105f1e4e266613a3f71f1ac1414c3025b05

SHA256
aed2fdda02c3d663d6ca28481acd1587c29d4e6e45fc9e6ed4de881f9f7a206b

SHA512
91f8d63723870eb1133769831312320915355900f6b42793d947d6e218a832412201ab2721506efdfeea1c8dbb73023521d6402890004cc3e202e1c6d28fe7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS84F~1.INI

Filesize
66KB

MD5
edfd71ff4db97d98eb06beb789b69b5a

SHA1
05c8e1c02e32d0b84070e2e2756e18b2241c692e

SHA256
34f25d9564222fa46c255c23ae55d5c59b0a84a8d081ed9adce599477af68e1e

SHA512
d50959833e8d5ad9b63579dc419250c77ab8cb232ab8987fd5504582a62212e4c1dc3fe322a92b64cf91f653194839cb703b36023b30815acfed3c0def7e346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
0fa7a934e73e6eb737c4f9898bbb2903

SHA1
9c6a3cc240ce4cf847407f6082a974c7fd5b569d

SHA256
567c2b8d0f41f4d7ca02dddf8ea54da64833cd7331dff6a7c3caa1aa8eaaf287

SHA512
761f11215060bf5a1d949544556d409a8bbde9686c18aa61f1855fe166bdc35632b43f71578b7fc18c4a7f88972dac4872b57ebe191cf6f05b2b40713f169442

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/840-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3984-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3984-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3984-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-31-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/4368-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download