Analysis
-
max time kernel
92s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe
-
Size
150KB
-
MD5
5566b352ca28f36930419aef3b549b06
-
SHA1
3b459962e6f3e02281d415ef3bd172f032d157fb
-
SHA256
e111ff1e83c2fe4b793db98cecd8b2b349a22dada5c0c02d3c12c605a9387287
-
SHA512
aa50a3ef289a7d31baab218339703d1391865967689aefcfc2fd1e4b241ef2493d95b55ae479065da3ad5dfe77722b62b3bf0a02740c495d7306c0d0e235e840
-
SSDEEP
3072:xwFLsFwUlUvxbZvzJhpcaI9TPZWmU+AYjakjI:qFLsXuxbZvzPpcHTZnDY
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation inl951E.tmp -
Executes dropped EXE 2 IoCs
pid Process 3388 80A9.tmp 4396 inl951E.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{DEA3B910-758C-42E2-A3A1-3CB6C5D241DB} msiexec.exe File opened for modification C:\Windows\Installer\MSI96F0.tmp msiexec.exe File created C:\Windows\Installer\e5795eb.msi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\e5795e7.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File created C:\Windows\Installer\e5795e7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3780 3388 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inl951E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80A9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 4836 msiexec.exe 4836 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4816 msiexec.exe Token: SeIncreaseQuotaPrivilege 4816 msiexec.exe Token: SeSecurityPrivilege 4836 msiexec.exe Token: SeCreateTokenPrivilege 4816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4816 msiexec.exe Token: SeLockMemoryPrivilege 4816 msiexec.exe Token: SeIncreaseQuotaPrivilege 4816 msiexec.exe Token: SeMachineAccountPrivilege 4816 msiexec.exe Token: SeTcbPrivilege 4816 msiexec.exe Token: SeSecurityPrivilege 4816 msiexec.exe Token: SeTakeOwnershipPrivilege 4816 msiexec.exe Token: SeLoadDriverPrivilege 4816 msiexec.exe Token: SeSystemProfilePrivilege 4816 msiexec.exe Token: SeSystemtimePrivilege 4816 msiexec.exe Token: SeProfSingleProcessPrivilege 4816 msiexec.exe Token: SeIncBasePriorityPrivilege 4816 msiexec.exe Token: SeCreatePagefilePrivilege 4816 msiexec.exe Token: SeCreatePermanentPrivilege 4816 msiexec.exe Token: SeBackupPrivilege 4816 msiexec.exe Token: SeRestorePrivilege 4816 msiexec.exe Token: SeShutdownPrivilege 4816 msiexec.exe Token: SeDebugPrivilege 4816 msiexec.exe Token: SeAuditPrivilege 4816 msiexec.exe Token: SeSystemEnvironmentPrivilege 4816 msiexec.exe Token: SeChangeNotifyPrivilege 4816 msiexec.exe Token: SeRemoteShutdownPrivilege 4816 msiexec.exe Token: SeUndockPrivilege 4816 msiexec.exe Token: SeSyncAgentPrivilege 4816 msiexec.exe Token: SeEnableDelegationPrivilege 4816 msiexec.exe Token: SeManageVolumePrivilege 4816 msiexec.exe Token: SeImpersonatePrivilege 4816 msiexec.exe Token: SeCreateGlobalPrivilege 4816 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeIncBasePriorityPrivilege 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe Token: SeTakeOwnershipPrivilege 4836 msiexec.exe Token: SeRestorePrivilege 4836 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3388 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 89 PID 1020 wrote to memory of 3388 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 89 PID 1020 wrote to memory of 3388 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 89 PID 1020 wrote to memory of 4816 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 97 PID 1020 wrote to memory of 4816 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 97 PID 1020 wrote to memory of 4816 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 97 PID 1020 wrote to memory of 2516 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 100 PID 1020 wrote to memory of 2516 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 100 PID 1020 wrote to memory of 2516 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 100 PID 1020 wrote to memory of 4572 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 101 PID 1020 wrote to memory of 4572 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 101 PID 1020 wrote to memory of 4572 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 101 PID 1020 wrote to memory of 4916 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 104 PID 1020 wrote to memory of 4916 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 104 PID 1020 wrote to memory of 4916 1020 JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe 104 PID 4836 wrote to memory of 624 4836 msiexec.exe 106 PID 4836 wrote to memory of 624 4836 msiexec.exe 106 PID 4836 wrote to memory of 624 4836 msiexec.exe 106 PID 4572 wrote to memory of 2228 4572 cmd.exe 107 PID 4572 wrote to memory of 2228 4572 cmd.exe 107 PID 4572 wrote to memory of 2228 4572 cmd.exe 107 PID 2516 wrote to memory of 4396 2516 cmd.exe 108 PID 2516 wrote to memory of 4396 2516 cmd.exe 108 PID 2516 wrote to memory of 4396 2516 cmd.exe 108 PID 4396 wrote to memory of 1084 4396 inl951E.tmp 112 PID 4396 wrote to memory of 1084 4396 inl951E.tmp 112 PID 4396 wrote to memory of 1084 4396 inl951E.tmp 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5566b352ca28f36930419aef3b549b06.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Roaming\80A9.tmpC:\Users\Admin\AppData\Roaming\80A9.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 2643⤵
- Program crash
PID:3780
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS912~1.INI /quiet2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\inl951E.tmpC:\Users\Admin\AppData\Local\Temp\inl951E.tmp cdf1912.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl951E.tmp > nul4⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3388 -ip 33881⤵PID:3524
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ABA3C6D8E403888A30BFC237D7D429242⤵
- System Location Discovery: System Language Discovery
PID:624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5226bd121de70dc1ef9095950b40028dd
SHA1e8d1d4be1492335727fc06c361d312c961194dcd
SHA256e7a84b293ba35368b7715cc5f3ad33c12646492b37ab72f57f219d315acb32f2
SHA512fe3ee37efcb7cae02225382e37ccfa10b8783b9136b622fc84040863b45517e52e7e23032e5abe357b119f4e4e223886d5495842b281fbc8aa169d8a42a15de0
-
Filesize
66KB
MD5a13bc4ee6acd62a775c66f6d96f7a17f
SHA105f550248631ca6e01dfbe5766e5bd688dd1bba1
SHA2567741adab3f65ed2a9bf35939e24a9561595bf3a9f80a76d0f73561a889da1a2d
SHA5129854b3351aba6d4d867604caf78fa79d80e080d5027276f14387d68c1b5be4da9c3af6e13478278b77e07bd8ba38a6f26c8b577a94fb148e86cea92842ff0f0a
-
Filesize
765B
MD5a4a4219ce5fdbaf2864b04ca4e453ac9
SHA198bf1383e8b2f4db0388ee139ae7fe06ff7a67a9
SHA2567ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6
SHA51222f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8
-
Filesize
57B
MD5f11bace42fa87903b20c6cb65ff65960
SHA19300c41f7b4e3205be3804d0df7db9daf3b24ada
SHA256c0f11c501b8bb64fd0b9852a2521bc627fd71381ff11843ccc4d24f0f38acd74
SHA5120470c8552bfd6fe6b6a854c4f014db339f3614b86513307c022d3e85420dcfccf86209f64c30f0caef4ee81004ee702993a10553b0b0a9192d5756a2afeae72f
-
Filesize
98B
MD58663de6fce9208b795dc913d1a6a3f5b
SHA1882193f208cf012eaf22eeaa4fef3b67e7c67c15
SHA2562909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61
SHA5129381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688
-
Filesize
425B
MD5da68bc3b7c3525670a04366bc55629f5
SHA115fda47ecfead7db8f7aee6ca7570138ba7f1b71
SHA25673f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5
SHA5126fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0