fccc25532293ec20f3cd9fef0ba1ec3daf14b7adc5046758952a1d2077656278

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
Size

150KB
MD5

55fd135b16bc34096a291df2265a6e14
SHA1

42d9b03e6d75a73e48f5f91e895131144174bc4b
SHA256

fccc25532293ec20f3cd9fef0ba1ec3daf14b7adc5046758952a1d2077656278
SHA512

a60ced019c9b9552f55cfe2fa30764649167b9972623339632ca4205186cbd7f3222ce81c8831e13a3167dd15d8e3bbfaf288521f008aaf13ad5343877c4838e
SSDEEP

3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2z:c5MK2orQ7XAgzahdJ3s5YKIvI

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	inl151B.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe

Executes dropped EXE 2 IoCs

pid	Process
4360	indFC03.tmp
4032	inl151B.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47E0658C-8372-46D6-98DD-4949AFCD2E11}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19FB.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File created	C:\Windows\Installer\e5815f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5815f4.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e5815f8.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	4360	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl151B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	indFC03.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
3712	msiexec.exe
3712	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	556	msiexec.exe
Token: SeSecurityPrivilege	3712	msiexec.exe
Token: SeCreateTokenPrivilege	556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	556	msiexec.exe
Token: SeLockMemoryPrivilege	556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	556	msiexec.exe
Token: SeMachineAccountPrivilege	556	msiexec.exe
Token: SeTcbPrivilege	556	msiexec.exe
Token: SeSecurityPrivilege	556	msiexec.exe
Token: SeTakeOwnershipPrivilege	556	msiexec.exe
Token: SeLoadDriverPrivilege	556	msiexec.exe
Token: SeSystemProfilePrivilege	556	msiexec.exe
Token: SeSystemtimePrivilege	556	msiexec.exe
Token: SeProfSingleProcessPrivilege	556	msiexec.exe
Token: SeIncBasePriorityPrivilege	556	msiexec.exe
Token: SeCreatePagefilePrivilege	556	msiexec.exe
Token: SeCreatePermanentPrivilege	556	msiexec.exe
Token: SeBackupPrivilege	556	msiexec.exe
Token: SeRestorePrivilege	556	msiexec.exe
Token: SeShutdownPrivilege	556	msiexec.exe
Token: SeDebugPrivilege	556	msiexec.exe
Token: SeAuditPrivilege	556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	556	msiexec.exe
Token: SeChangeNotifyPrivilege	556	msiexec.exe
Token: SeRemoteShutdownPrivilege	556	msiexec.exe
Token: SeUndockPrivilege	556	msiexec.exe
Token: SeSyncAgentPrivilege	556	msiexec.exe
Token: SeEnableDelegationPrivilege	556	msiexec.exe
Token: SeManageVolumePrivilege	556	msiexec.exe
Token: SeImpersonatePrivilege	556	msiexec.exe
Token: SeCreateGlobalPrivilege	556	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe
Token: SeTakeOwnershipPrivilege	3712	msiexec.exe
Token: SeRestorePrivilege	3712	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 4360	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	89
PID 1984 wrote to memory of 4360	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	89
PID 1984 wrote to memory of 4360	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	89
PID 1984 wrote to memory of 556	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	93
PID 1984 wrote to memory of 556	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	93
PID 1984 wrote to memory of 556	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	93
PID 1984 wrote to memory of 5076	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	96
PID 1984 wrote to memory of 5076	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	96
PID 1984 wrote to memory of 5076	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	96
PID 1984 wrote to memory of 772	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	97
PID 1984 wrote to memory of 772	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	97
PID 1984 wrote to memory of 772	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	97
PID 1984 wrote to memory of 3928	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	100
PID 1984 wrote to memory of 3928	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	100
PID 1984 wrote to memory of 3928	1984	JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe	100
PID 772 wrote to memory of 4408	772	cmd.exe	102
PID 772 wrote to memory of 4408	772	cmd.exe	102
PID 772 wrote to memory of 4408	772	cmd.exe	102
PID 5076 wrote to memory of 4032	5076	cmd.exe	103
PID 5076 wrote to memory of 4032	5076	cmd.exe	103
PID 5076 wrote to memory of 4032	5076	cmd.exe	103
PID 3712 wrote to memory of 1340	3712	msiexec.exe	104
PID 3712 wrote to memory of 1340	3712	msiexec.exe	104
PID 3712 wrote to memory of 1340	3712	msiexec.exe	104
PID 4032 wrote to memory of 4048	4032	inl151B.tmp	108
PID 4032 wrote to memory of 4048	4032	inl151B.tmp	108
PID 4032 wrote to memory of 4048	4032	inl151B.tmp	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55fd135b16bc34096a291df2265a6e14.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\indFC03.tmp
  C:\Users\Admin\AppData\Local\Temp\indFC03.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 264
    3⤵
    - Program crash
    PID:1080
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS116~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\inl151B.tmp
    C:\Users\Admin\AppData\Local\Temp\inl151B.tmp cdf1912.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl151B.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4360 -ip 4360
1⤵
PID:1696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D903C65C356B3B73A5D00312B994CBB0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5815f7.rbs

Filesize
8KB

MD5
a31a4d8da690e5fd7acd697419dd9edb

SHA1
ae098228d3b90a0b93afc1ae36693be047d305ea

SHA256
d381f9efe199628226d2bad44014a73401d7c8ef49cbc7f8f3073d507933e848

SHA512
c8548789445e5612812f729a5e4c8ec6ce44a7c839d51676b452bcddc386cd0418b645fd6ee6e758db4e723d81589f8dc076017680439e22812403d4def1e6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS116~1.INI

Filesize
66KB

MD5
c41c4ff8ecb97848a3861253aff13d19

SHA1
ef0dba8041868e597190e89b702665b0476d89e7

SHA256
fd8d0ebd9740dc551166866545f0babb4addf557ab60301cbf7c5e912858fe34

SHA512
28757a877b72e004a56af4baef161fb5fddaebe06d244ce6fd3aeb028b03c7c0073ace27f7fff1caad63d5a3f267dbca91181259f8e33fc4f388f0ba1c82b5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
0cbccb1ef7b06a45aa3776cdb0aa89f5

SHA1
dad24d768e755aea9f0a50561736baa63622ed8d

SHA256
b48c81c82283611acf08f1f3887d63f1286a786761b2f998de36fa0da35d6470

SHA512
a0f93fe35e92c7b03a75122eb59652214024ae39697a57365cd424a446068ab0c2cc9ccc0b4624641c86eb47cfc2bee8b0558852fafa6a7bf987f6d9d828a446

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1984-30-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/1984-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/4032-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4360-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4360-10-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4360-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download