Overview

overview

10

Static

static

3

JaffaCakes...8b.exe

windows7-x64

10

JaffaCakes...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe

  • Size

    192KB

  • MD5

    58b7158bdc6c028189fba27a6225cf8b

  • SHA1

    6ff9427fd114a9614bd68f8653a3d1d235de47cd

  • SHA256

    9c359252c8c43fd884f3aa2577793b81bcd8222648351defee5fb0ee2418d6ef

  • SHA512

    a56eb7dc03edde71a1fb3f0dcae5142241d809bcbfc0fb221afc524bf988cb4861374d0065913b69bcbca7b2969043de96e75aa422f2fe4f266ef12211f92fb1

  • SSDEEP

    3072:yibxUKA2LrBRTS2nO/bbeSnMPZHjgr8SXkK1AhnTGqD9SXLPVqYl:vbOK3Re/bb1MxH6zXkK+V9AbPVn

Score
10/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Users\Admin\AppData\Local\Temp\inlA7CB.tmp
        C:\Users\Admin\AppData\Local\Temp\inlA7CB.tmp cdf1912.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Users\Admin\AppData\Local\Temp\lieC68D.tmp
            C:\Users\Admin\AppData\Local\Temp\lieC68D.tmp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1404
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\SysWOW64\PING.EXE
                ping 88.99.00.00
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3772
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                7⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Checks computer location settings
                • Drops desktop.ini file(s)
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4668
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER~1.DAT,MainLoad
                  8⤵
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  PID:440
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3364
          • C:\Users\Admin\AppData\Local\Temp\kilDDB0.tmp
            C:\Users\Admin\AppData\Local\Temp\kilDDB0.tmp
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:816
            • C:\Program Files\Common Files\19920306.exe
              "C:\Program Files\Common Files\19920306.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3084
            • C:\Program Files\Common Files\920306.exe
              "C:\Program Files\Common Files\920306.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1896
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 300
                7⤵
                • Program crash
                PID:3840
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 308
                7⤵
                • Program crash
                PID:3876
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlA7CB.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1896 -ip 1896
    1⤵
      PID:5032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
      1⤵
        PID:244
      • C:\Windows\system32\attrib.exe
        attrib +s +h "D:\RECYCLERMD4"
        1⤵
        • Process spawned unexpected child process
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1880
      • C:\Windows\system32\attrib.exe
        attrib +s +h "D:\VolumeXX\desktop.ini"
        1⤵
        • Process spawned unexpected child process
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4776
      • C:\Windows\system32\attrib.exe
        attrib +s +h "D:\VolumeXX"
        1⤵
        • Process spawned unexpected child process
        • Sets file to hidden
        • Views/modifies file attributes
        PID:5088

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\19920306.exe
        Filesize

        24.1MB

        MD5

        5b7f3402f9c78c650f97b1f7194dad44

        SHA1

        7edef5b550f2de2a9d19a40753b4470cbeaa44ce

        SHA256

        9bddd72ec1de3e0aecc799b36d3abc5602d86659591fc37fec83b8ab081ed639

        SHA512

        2137ced2954a1368baaa21963d84b4fde1792abf33fb27d66b8ef873e53fe8abeb5cfacb0e647d954b2350fdb8133eea9315802333202322cf2841ece780bd8a

        Download Submit

      • C:\Program Files\Common Files\920306.exe
        Filesize

        24.2MB

        MD5

        f0ec49752787eec581d234b1ff9480ba

        SHA1

        5f42827e9ffcf9e1530e6c9a26d783ff74777519

        SHA256

        3fab7323de5d172635e02bd1717e8e34d0bb9f68077a206b18d73041edf0c581

        SHA512

        3c88234954ef64d9b173b092bd64ea86b20b006f1e3a38556ff37a163fe6e4dd161b26cf0ac8e0e656f13508b39ff8bb1769e151799f1fe3fccfba126ff09f98

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4X3Q5MZS\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
        Filesize

        768B

        MD5

        d20d9eda31a2d0300e4589df7f352370

        SHA1

        79b46d2dbb489914cfedafdbc90e62951471b48e

        SHA256

        d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

        SHA512

        d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
        Filesize

        57B

        MD5

        bc81ed74133477f701169c64d9d8573c

        SHA1

        6002a9257b4ee581dd9a7608a3bc6979cc6d45a7

        SHA256

        f08552d91b7e4835a3236e3c5d0939c0c61abc22a2ac7d7f7e92f757b1b623f7

        SHA512

        918158c8c0a07361ee6bbddd3ce550fe54213ce4d0de9f4d05ef713f97fe2793cf07b8279207dc9e27220855402227ec73d40175fadad06c87ee33c3e76d8ba2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
        Filesize

        45B

        MD5

        ae3f678413f912040896bf1619b3453b

        SHA1

        0c28b60506b6bbfcec5648179e87af2a32a9594c

        SHA256

        e95c12f9cbe9a0db0d3ad7f2ed78cc306f05fdb47c6bcc46f5ca86aa7aca564c

        SHA512

        f77b038b319f9a81aceaa9aac9151117419b8949d406a52d9da390a05f7350fa497f74257b2dc0e84eb70b45fce8580994a3437dd42f67547be9fc7c4ca0e2a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat
        Filesize

        45B

        MD5

        20b1525a90d464c1c1201f35d7163ea3

        SHA1

        648414c9cf991fb6e6900868fc807af332c4cafd

        SHA256

        5184e03d079db13e22ac0f716cba551624b2cb7f852b265ff706584df467fbc0

        SHA512

        955b43478be39e81109e1fcdc2c4a100b3c03886dcebae46b57e46697306044c9f6237c64c7485864f1b65091bb019fe0795b7b73fed279fa22719c6cf335152

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat
        Filesize

        70B

        MD5

        edea5cd5060d69b6c558fea75e330a67

        SHA1

        929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

        SHA256

        1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

        SHA512

        adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
        Filesize

        98B

        MD5

        8663de6fce9208b795dc913d1a6a3f5b

        SHA1

        882193f208cf012eaf22eeaa4fef3b67e7c67c15

        SHA256

        2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

        SHA512

        9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta
        Filesize

        7KB

        MD5

        d533fbcf6eec4c957935d4e81fbfcb56

        SHA1

        2fabf149662dadb7236766fa111e33990baa5def

        SHA256

        441f1948e33f12dd65b3f69dfdf34cfe3a3ab8c0cfbb32aa5502704386e5cdd4

        SHA512

        10f105a4c40dcac0a28f3f547850f9237a0f69158990dccaa198b3fd8d84b6f6c26c7c9e8ba353d813b80eaf98b8f620bb0e79bcbcdedde8b8c06906ba6f791b

        Download Submit

      • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
        Filesize

        154B

        MD5

        8d681a59ea75e91f730bd9ce3c42e514

        SHA1

        9d426029daeebf03c9053761e0e5a9f447f98e9c

        SHA256

        afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

        SHA512

        ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

        Download Submit

      • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
        Filesize

        155B

        MD5

        5a17106c27138df10448c2c3be95f399

        SHA1

        56acc2ed4fea4171127a13dcdee08bdd39d674d6

        SHA256

        c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

        SHA512

        1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

        Download Submit

      • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
        Filesize

        156B

        MD5

        8a275b261afcc166671132b6f03831e4

        SHA1

        03ac21edc1de2df748ee3a301a6b3de989c423c3

        SHA256

        0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

        SHA512

        269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

        Download Submit

      • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
        Filesize

        158B

        MD5

        d645085ab92574a2a17abd323415dde5

        SHA1

        49ebaa4499cacd9256f270f35f31684b7cd195b1

        SHA256

        41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

        SHA512

        a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

        Download Submit

      • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
        Filesize

        157B

        MD5

        993f72a439a3301caeb969c7faa7a8b9

        SHA1

        176244349a0463cd0fc38cad426d89dc3b055311

        SHA256

        b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

        SHA512

        c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

        Download Submit

      • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
        Filesize

        425B

        MD5

        da68bc3b7c3525670a04366bc55629f5

        SHA1

        15fda47ecfead7db8f7aee6ca7570138ba7f1b71

        SHA256

        73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

        SHA512

        6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

        Download Submit

      • memory/64-0-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/64-18-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/64-19-0x00000000000D0000-0x00000000000D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/64-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/440-119-0x000000006A6C0000-0x000000006A6CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/816-96-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/816-109-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1404-65-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1404-58-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1896-105-0x0000000000400000-0x0000000000430938-memory.dmp

        Filesize

        194KB

        Download

      • memory/1896-107-0x0000000000400000-0x0000000000430938-memory.dmp

        Filesize

        194KB

        Download

      • memory/4720-41-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4720-110-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4720-68-0x00000000000C0000-0x00000000000C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4720-67-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4720-43-0x00000000000C0000-0x00000000000C3000-memory.dmp

        Filesize

        12KB

        Download