Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 05:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_50cefa40519163f69d83763282206abe.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_50cefa40519163f69d83763282206abe.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
JaffaCakes118_50cefa40519163f69d83763282206abe.exe
-
Size
150KB
-
MD5
50cefa40519163f69d83763282206abe
-
SHA1
9c413612d4f19f3c049ab3df61d81a025a7414e5
-
SHA256
a1065afb321ea00ebed112f1cde90fdfc6f51c6e849f3909b13a0f70ec8b5dae
-
SHA512
e8fb83ee33793b0406604f7fd166f2fc11156495fa9102ed7db5bffae370867477b168091a7d59a5a8c6323f63d0901abb3c00a31c839e689f7febed4d448bae
-
SSDEEP
3072:gwFLv/9SNIItxH6As+4d5lp8ZIGOYjlh9X1xcIMxArGrW2+8YVp3pD1KYZ:HFLv/9SNIAxH6A743Y9RAxoFXJ51D
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation JaffaCakes118_50cefa40519163f69d83763282206abe.exe Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation inl8474.tmp -
Executes dropped EXE 2 IoCs
pid Process 1432 6FD1.tmp 4500 inl8474.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{89779F51-997A-4BD2-BA63-1DC5118B8A46} msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\e57857c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI86E3.tmp msiexec.exe File created C:\Windows\Installer\e578580.msi msiexec.exe File created C:\Windows\Installer\e57857c.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 376 1432 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6FD1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inl8474.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_50cefa40519163f69d83763282206abe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 4092 msiexec.exe 4092 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2844 msiexec.exe Token: SeIncreaseQuotaPrivilege 2844 msiexec.exe Token: SeSecurityPrivilege 4092 msiexec.exe Token: SeCreateTokenPrivilege 2844 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2844 msiexec.exe Token: SeLockMemoryPrivilege 2844 msiexec.exe Token: SeIncreaseQuotaPrivilege 2844 msiexec.exe Token: SeMachineAccountPrivilege 2844 msiexec.exe Token: SeTcbPrivilege 2844 msiexec.exe Token: SeSecurityPrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeLoadDriverPrivilege 2844 msiexec.exe Token: SeSystemProfilePrivilege 2844 msiexec.exe Token: SeSystemtimePrivilege 2844 msiexec.exe Token: SeProfSingleProcessPrivilege 2844 msiexec.exe Token: SeIncBasePriorityPrivilege 2844 msiexec.exe Token: SeCreatePagefilePrivilege 2844 msiexec.exe Token: SeCreatePermanentPrivilege 2844 msiexec.exe Token: SeBackupPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeShutdownPrivilege 2844 msiexec.exe Token: SeDebugPrivilege 2844 msiexec.exe Token: SeAuditPrivilege 2844 msiexec.exe Token: SeSystemEnvironmentPrivilege 2844 msiexec.exe Token: SeChangeNotifyPrivilege 2844 msiexec.exe Token: SeRemoteShutdownPrivilege 2844 msiexec.exe Token: SeUndockPrivilege 2844 msiexec.exe Token: SeSyncAgentPrivilege 2844 msiexec.exe Token: SeEnableDelegationPrivilege 2844 msiexec.exe Token: SeManageVolumePrivilege 2844 msiexec.exe Token: SeImpersonatePrivilege 2844 msiexec.exe Token: SeCreateGlobalPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeIncBasePriorityPrivilege 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3532 wrote to memory of 1432 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 88 PID 3532 wrote to memory of 1432 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 88 PID 3532 wrote to memory of 1432 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 88 PID 3532 wrote to memory of 2844 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 96 PID 3532 wrote to memory of 2844 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 96 PID 3532 wrote to memory of 2844 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 96 PID 3532 wrote to memory of 2652 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 100 PID 3532 wrote to memory of 2652 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 100 PID 3532 wrote to memory of 2652 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 100 PID 3532 wrote to memory of 220 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 101 PID 3532 wrote to memory of 220 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 101 PID 3532 wrote to memory of 220 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 101 PID 3532 wrote to memory of 1520 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 104 PID 3532 wrote to memory of 1520 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 104 PID 3532 wrote to memory of 1520 3532 JaffaCakes118_50cefa40519163f69d83763282206abe.exe 104 PID 220 wrote to memory of 3388 220 cmd.exe 106 PID 220 wrote to memory of 3388 220 cmd.exe 106 PID 220 wrote to memory of 3388 220 cmd.exe 106 PID 4092 wrote to memory of 1212 4092 msiexec.exe 107 PID 4092 wrote to memory of 1212 4092 msiexec.exe 107 PID 4092 wrote to memory of 1212 4092 msiexec.exe 107 PID 2652 wrote to memory of 4500 2652 cmd.exe 108 PID 2652 wrote to memory of 4500 2652 cmd.exe 108 PID 2652 wrote to memory of 4500 2652 cmd.exe 108 PID 4500 wrote to memory of 2440 4500 inl8474.tmp 111 PID 4500 wrote to memory of 2440 4500 inl8474.tmp 111 PID 4500 wrote to memory of 2440 4500 inl8474.tmp 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cefa40519163f69d83763282206abe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cefa40519163f69d83763282206abe.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Roaming\6FD1.tmpC:\Users\Admin\AppData\Roaming\6FD1.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 2243⤵
- Program crash
PID:376
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS807~1.INI /quiet2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\inl8474.tmpC:\Users\Admin\AppData\Local\Temp\inl8474.tmp cdf1912.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8474.tmp > nul4⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1432 -ip 14321⤵PID:2968
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BE4048B9C7572A5D85E5BFD78043D9002⤵
- System Location Discovery: System Language Discovery
PID:1212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ae1e579f2cfaa2f4ae96d8f9b6f9e06f
SHA15587da1018907dfcd0d8dbb162e476685ab99689
SHA2569377bf486640706f5a0871bc865222528e42b11dbcc79a627d01b57cbca893d9
SHA5122b1685c40cf21de5be292e62129746c75d7fb82fa9244f2ebc8597701160f2f894079d11d943210d6d6fc2ade45105835c4867d29ba8106c4680d20ebdd53030
-
Filesize
66KB
MD50a485980207fa89da57d2bf348d7ccfd
SHA19efd6a8dc54e29090e15b159d782a5e2bb0e4106
SHA256f458424a6be5e636128597513fefa45eb9c3c8244f000483d3a2b886a4d32a38
SHA5126acbff4ac271a833fdf47502946da69e9a9664c6eefcbf133194be83215b10f4c477474923ea38169f704723e06037074eb342451b8068da7c2c780a6863a8d7
-
Filesize
765B
MD5a4a4219ce5fdbaf2864b04ca4e453ac9
SHA198bf1383e8b2f4db0388ee139ae7fe06ff7a67a9
SHA2567ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6
SHA51222f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8
-
Filesize
57B
MD5c64b553c13fb16f194ed620723f866c3
SHA1615d52e5117d56604a6e75241e5d78e2f8ac2e68
SHA2564663038e4ce9d8c56aff5a0f08f33f5a659e947ebdc2fc2ebdb5fd6820d80099
SHA5128782521ddd7c23cbcbce5a2815544ed782ee47052c98f09667444efbee7c06732f4244611d9e6248694e7d9d0f3ea7c6f26afed660cd9b64da4a6467cbccc2e1
-
Filesize
98B
MD58663de6fce9208b795dc913d1a6a3f5b
SHA1882193f208cf012eaf22eeaa4fef3b67e7c67c15
SHA2562909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61
SHA5129381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688
-
Filesize
425B
MD5da68bc3b7c3525670a04366bc55629f5
SHA115fda47ecfead7db8f7aee6ca7570138ba7f1b71
SHA25673f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5
SHA5126fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0