Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 09:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe
-
Size
150KB
-
MD5
55d751c908745c2f4334526d1d09967a
-
SHA1
d0ffbf4e40c650b894bed73537440e25535ea1b5
-
SHA256
be39b755d4d86b50db73b11f8408701e8dfe3b8de1fe652d153803515569a334
-
SHA512
1720482c2dd4b0e9d45ce2b2708fee0327dd153e45e3f53106993f95c5b59ab6aa4a10ea4a0f685234253f1cd049fdc6d2adbd1021ebd7b232a505564513f935
-
SSDEEP
3072:tlxAxiiAYXRJ1cbuR3m8KoNVzbqQ+yaKf4baDJws3wDC:tePXD1zQuNV1+yiC
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation inlB98E.tmp -
Executes dropped EXE 2 IoCs
pid Process 1860 A633.tmp 3264 inlB98E.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{6CB27FD5-21F9-4FF3-90C2-BF069FC33424} msiexec.exe File opened for modification C:\Windows\Installer\MSIBC0C.tmp msiexec.exe File created C:\Windows\Installer\e57baf7.msi msiexec.exe File created C:\Windows\Installer\e57baf3.msi msiexec.exe File opened for modification C:\Windows\Installer\e57baf3.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4200 1860 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A633.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inlB98E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 2212 msiexec.exe 2212 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4092 msiexec.exe Token: SeIncreaseQuotaPrivilege 4092 msiexec.exe Token: SeSecurityPrivilege 2212 msiexec.exe Token: SeCreateTokenPrivilege 4092 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4092 msiexec.exe Token: SeLockMemoryPrivilege 4092 msiexec.exe Token: SeIncreaseQuotaPrivilege 4092 msiexec.exe Token: SeMachineAccountPrivilege 4092 msiexec.exe Token: SeTcbPrivilege 4092 msiexec.exe Token: SeSecurityPrivilege 4092 msiexec.exe Token: SeTakeOwnershipPrivilege 4092 msiexec.exe Token: SeLoadDriverPrivilege 4092 msiexec.exe Token: SeSystemProfilePrivilege 4092 msiexec.exe Token: SeSystemtimePrivilege 4092 msiexec.exe Token: SeProfSingleProcessPrivilege 4092 msiexec.exe Token: SeIncBasePriorityPrivilege 4092 msiexec.exe Token: SeCreatePagefilePrivilege 4092 msiexec.exe Token: SeCreatePermanentPrivilege 4092 msiexec.exe Token: SeBackupPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 4092 msiexec.exe Token: SeShutdownPrivilege 4092 msiexec.exe Token: SeDebugPrivilege 4092 msiexec.exe Token: SeAuditPrivilege 4092 msiexec.exe Token: SeSystemEnvironmentPrivilege 4092 msiexec.exe Token: SeChangeNotifyPrivilege 4092 msiexec.exe Token: SeRemoteShutdownPrivilege 4092 msiexec.exe Token: SeUndockPrivilege 4092 msiexec.exe Token: SeSyncAgentPrivilege 4092 msiexec.exe Token: SeEnableDelegationPrivilege 4092 msiexec.exe Token: SeManageVolumePrivilege 4092 msiexec.exe Token: SeImpersonatePrivilege 4092 msiexec.exe Token: SeCreateGlobalPrivilege 4092 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeIncBasePriorityPrivilege 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe Token: SeTakeOwnershipPrivilege 2212 msiexec.exe Token: SeRestorePrivilege 2212 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3692 wrote to memory of 1860 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 92 PID 3692 wrote to memory of 1860 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 92 PID 3692 wrote to memory of 1860 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 92 PID 3692 wrote to memory of 4092 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 100 PID 3692 wrote to memory of 4092 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 100 PID 3692 wrote to memory of 4092 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 100 PID 3692 wrote to memory of 2432 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 103 PID 3692 wrote to memory of 2432 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 103 PID 3692 wrote to memory of 2432 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 103 PID 3692 wrote to memory of 5016 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 105 PID 3692 wrote to memory of 5016 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 105 PID 3692 wrote to memory of 5016 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 105 PID 3692 wrote to memory of 2108 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 107 PID 3692 wrote to memory of 2108 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 107 PID 3692 wrote to memory of 2108 3692 JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe 107 PID 5016 wrote to memory of 1924 5016 cmd.exe 109 PID 5016 wrote to memory of 1924 5016 cmd.exe 109 PID 5016 wrote to memory of 1924 5016 cmd.exe 109 PID 2212 wrote to memory of 2148 2212 msiexec.exe 111 PID 2212 wrote to memory of 2148 2212 msiexec.exe 111 PID 2212 wrote to memory of 2148 2212 msiexec.exe 111 PID 2432 wrote to memory of 3264 2432 cmd.exe 110 PID 2432 wrote to memory of 3264 2432 cmd.exe 110 PID 2432 wrote to memory of 3264 2432 cmd.exe 110 PID 3264 wrote to memory of 3964 3264 inlB98E.tmp 115 PID 3264 wrote to memory of 3964 3264 inlB98E.tmp 115 PID 3264 wrote to memory of 3964 3264 inlB98E.tmp 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Roaming\A633.tmpC:\Users\Admin\AppData\Roaming\A633.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2643⤵
- Program crash
PID:4200
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSB61~1.INI /quiet2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\inlB98E.tmpC:\Users\Admin\AppData\Local\Temp\inlB98E.tmp cdf1912.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlB98E.tmp > nul4⤵
- System Location Discovery: System Language Discovery
PID:3964
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1860 -ip 18601⤵PID:4468
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9A06BDD53076B06E312206B4DB4B0012⤵
- System Location Discovery: System Language Discovery
PID:2148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51d11e14669c45af1e5d72b0d0730c36e
SHA1f196c49367bcc1edfd6136a6fc3d68c7c627c0e4
SHA25627852d5d56b1089a837a889bb433e33c186593bc18c660dc5401f05272cd6e5d
SHA512241aaaa0acf0d3b384c307f79eb444734342512e698b3ed7d1297b98342f273504379ee2f9fcc63c269a53d53bedd38bb4551c415ac70cb8525d466308a756b9
-
Filesize
66KB
MD5f427c53bcc147126e9363faca91c8aea
SHA15e1b30149d61b8fa4588065ebefd092ec4455ae0
SHA2567875f64361f28a75151bffc337682852205068bbc720b4e51ef341a01b410932
SHA5127f5ea6b949b3ab993659709723732cffc0872cdc924d8489817080012615cbd4e7b24b27e889b04646bdde5c565002548a8dedad909ad6a1bd35b5e00c50cba2
-
Filesize
768B
MD5d20d9eda31a2d0300e4589df7f352370
SHA179b46d2dbb489914cfedafdbc90e62951471b48e
SHA256d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8
SHA512d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e
-
Filesize
57B
MD55d41abe95dac3485e628f4d19728d160
SHA1b21427621e9ce0e485e73cbab639b1706077c435
SHA2560526be8279e31b0cac9ee0e02dfbd4e7d148094b220b5f23357362893b6835bd
SHA512421f450c514bb8b782d023c45d3478c0981271a31e10cdb24d204535a971a28fb17798aa54d44379809a3ee59d14c33d90e3ea9a882b198832925ceb84ceebe3
-
Filesize
98B
MD58663de6fce9208b795dc913d1a6a3f5b
SHA1882193f208cf012eaf22eeaa4fef3b67e7c67c15
SHA2562909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61
SHA5129381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688
-
Filesize
425B
MD5da68bc3b7c3525670a04366bc55629f5
SHA115fda47ecfead7db8f7aee6ca7570138ba7f1b71
SHA25673f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5
SHA5126fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0