3fd36d02c3fc288fd7f9d4bac61784d4c05ce5d3818e61fdc926b40db688b800

Analysis

max time kernel
80s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
Size

150KB
MD5

515acc30942b37ab072e9b819892df10
SHA1

b99ccf5799f599103c1e3bccf59af14c5859c62d
SHA256

3fd36d02c3fc288fd7f9d4bac61784d4c05ce5d3818e61fdc926b40db688b800
SHA512

9ec9fbc3c40f75a7d74c51cfb4ba85d8d4d7c5af341860e39cc57e2b41abf8c0ccbbe09512f5fd69506024a00980cb20ffa33db003be76339b3c1f193cffbce6
SSDEEP

3072:0lctl8STlrLKnRVWh0q8ntMviU9tv+SRtcFcoeYkmkCI:0UlJTJLKXq8ntMviU9tmSRqiAkmk

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	inlEBBA.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	D63C.tmp
2832	inlEBBA.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57eca2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5518FC90-76A3-47FE-9440-7FF44A419D13}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDCB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57eca6.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e57eca2.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6116	1740	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlEBBA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D63C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
4280	msiexec.exe
4280	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	4280	msiexec.exe
Token: SeCreateTokenPrivilege	1448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1448	msiexec.exe
Token: SeLockMemoryPrivilege	1448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1448	msiexec.exe
Token: SeMachineAccountPrivilege	1448	msiexec.exe
Token: SeTcbPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeLoadDriverPrivilege	1448	msiexec.exe
Token: SeSystemProfilePrivilege	1448	msiexec.exe
Token: SeSystemtimePrivilege	1448	msiexec.exe
Token: SeProfSingleProcessPrivilege	1448	msiexec.exe
Token: SeIncBasePriorityPrivilege	1448	msiexec.exe
Token: SeCreatePagefilePrivilege	1448	msiexec.exe
Token: SeCreatePermanentPrivilege	1448	msiexec.exe
Token: SeBackupPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeShutdownPrivilege	1448	msiexec.exe
Token: SeDebugPrivilege	1448	msiexec.exe
Token: SeAuditPrivilege	1448	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1448	msiexec.exe
Token: SeChangeNotifyPrivilege	1448	msiexec.exe
Token: SeRemoteShutdownPrivilege	1448	msiexec.exe
Token: SeUndockPrivilege	1448	msiexec.exe
Token: SeSyncAgentPrivilege	1448	msiexec.exe
Token: SeEnableDelegationPrivilege	1448	msiexec.exe
Token: SeManageVolumePrivilege	1448	msiexec.exe
Token: SeImpersonatePrivilege	1448	msiexec.exe
Token: SeCreateGlobalPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeIncBasePriorityPrivilege	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1740	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	90
PID 2568 wrote to memory of 1740	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	90
PID 2568 wrote to memory of 1740	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	90
PID 2568 wrote to memory of 1448	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	98
PID 2568 wrote to memory of 1448	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	98
PID 2568 wrote to memory of 1448	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	98
PID 2568 wrote to memory of 2060	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	101
PID 2568 wrote to memory of 2060	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	101
PID 2568 wrote to memory of 2060	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	101
PID 2568 wrote to memory of 32	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	103
PID 2568 wrote to memory of 32	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	103
PID 2568 wrote to memory of 32	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	103
PID 2568 wrote to memory of 4760	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	105
PID 2568 wrote to memory of 4760	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	105
PID 2568 wrote to memory of 4760	2568	JaffaCakes118_515acc30942b37ab072e9b819892df10.exe	105
PID 32 wrote to memory of 1764	32	cmd.exe	107
PID 32 wrote to memory of 1764	32	cmd.exe	107
PID 32 wrote to memory of 1764	32	cmd.exe	107
PID 2060 wrote to memory of 2832	2060	cmd.exe	108
PID 2060 wrote to memory of 2832	2060	cmd.exe	108
PID 2060 wrote to memory of 2832	2060	cmd.exe	108
PID 4280 wrote to memory of 2660	4280	msiexec.exe	109
PID 4280 wrote to memory of 2660	4280	msiexec.exe	109
PID 4280 wrote to memory of 2660	4280	msiexec.exe	109
PID 2832 wrote to memory of 1040	2832	inlEBBA.tmp	113
PID 2832 wrote to memory of 1040	2832	inlEBBA.tmp	113
PID 2832 wrote to memory of 1040	2832	inlEBBA.tmp	113

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_515acc30942b37ab072e9b819892df10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_515acc30942b37ab072e9b819892df10.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\D63C.tmp
  C:\Users\Admin\AppData\Roaming\D63C.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 264
    3⤵
    - Program crash
    PID:6116
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSE7E~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\inlEBBA.tmp
    C:\Users\Admin\AppData\Local\Temp\inlEBBA.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEBBA.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1740 -ip 1740
1⤵
PID:4400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1BDA801DEC9A99DAA503EDCFAE32076
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57eca5.rbs

Filesize
8KB

MD5
b861cc066da67f4936b69cdc99e85c16

SHA1
bbfb1a0b267d1bc2fe6949dc3871adc6f7346e52

SHA256
769d60f9b8c3632b225b6682ccb74f00633b82bcd258dd6b928a8562c4b2965f

SHA512
4dec394e8870ad4cce960ed74a84e885165f9e1c8fbaf8818aafa2c5c3f6231561efcd721de9f73fe32dfcdd574a9c6e83e22ee4a70af44ffc152c7fd943067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSE7E~1.INI

Filesize
66KB

MD5
672bb9308da278364e6e04ce7338a262

SHA1
07b00bf4b7af089a792809cc3aad3c5271abefd4

SHA256
25b38f8ec28b0935e2a6c5802b8317296d44d784455e16efcb86e54c52299746

SHA512
ecdc018cfe756fd26f3955df348dfb71eff1fbb37acd6dc0b7d162895d0a39e99743900ed05b6991c2f4d63564a76b77a01a0cf90a2af3b7fb8295958fda7052

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
a70f3b7a0498e0d44cb60673cc884eec

SHA1
a684d3f4906f452b01eac429bf6030655685be58

SHA256
3fbb1063f292e9049dd56edc9c390e942ab390a69c85210aecf82152a0d2e4f8

SHA512
313cec18517b3fba881502e58639f1c36374bb98c6814f6066207b1762ae692edf3fbc88083b326a3d4864d8ece9c566df139e251b867287e19c71c4057d84f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1740-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1740-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1740-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-31-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/2568-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/2832-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download